diff -Nru sagan-rules-10222015/adtran.rules sagan-rules-20160923/adtran.rules --- sagan-rules-10222015/adtran.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/adtran.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan adtran.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,5 +25,5 @@ # # Adtran rules by James Lay - 06/25/2012 (actually, added well before that.. hrmph). -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] TCP INTERNAL BLOCK"; content: "Access Policy"; content: "tcp"; program: FIREWALL; normalize: adtran; classtype: bad-unknown; sid:5001126; reference: url,wiki.quadrantsec.com/bin/view/Main/5001126; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] UDP INTERNAL BLOCK"; content: "Access Policy"; content: "udp"; program: FIREWALL; normalize: adtran; classtype: bad-unknown; sid:5001127; reference: url,wiki.quadrantsec.com/bin/view/Main/5001127; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] TCP INTERNAL BLOCK"; content: "Access Policy"; content: "tcp"; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001126; reference: url,wiki.quadrantsec.com/bin/view/Main/5001126; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] UDP INTERNAL BLOCK"; content: "Access Policy"; content: "udp"; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001127; reference: url,wiki.quadrantsec.com/bin/view/Main/5001127; rev:3;) diff -Nru sagan-rules-10222015/apache.rules sagan-rules-20160923/apache.rules --- sagan-rules-10222015/apache.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/apache.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan apache.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -32,22 +32,22 @@ # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,recon,86400; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,recon,86400; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; flowbits: set,recon,86400; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; flowbits: set,recon,86400; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; classtype: attempted-recon; flowbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; flowbits: set,recon,86400; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; flowbits: set,recon,86400; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; flowbits: set,recon,86400; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; flowbits: set,recon,86400; classtype: attempted-recon; flowbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; flowbits: set,recon,86400; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:7;) # CVE-2014-6271 (09/24/2014 - Champ Clark III) diff -Nru sagan-rules-10222015/apc-emu.rules sagan-rules-20160923/apc-emu.rules --- sagan-rules-10222015/apc-emu.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/apc-emu.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan apc-emu.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/arp-normalize.rulebase sagan-rules-20160923/arp-normalize.rulebase --- sagan-rules-10222015/arp-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/arp-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -# Sagan arp-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -# arpalert -# seq=277, mac=00:01:d7:35:55:06, ip=172.22.1.53, reference=172.22.2.69, type=ip_change, dev=eth0, vendor="F5 Networks, Inc." - -rule=: seq=%-:word%, mac=%-:word%, ip=%src-ip:ipv4%, reference=%dst-ip:ipv4%, %-:rest% - diff -Nru sagan-rules-10222015/arp.rules sagan-rules-20160923/arp.rules --- sagan-rules-10222015/arp.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/arp.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan arp.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,7 +28,7 @@ # "arpalert" rules - http://www.arpalert.org alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARP] arpalert - Detected new machine on the network"; content: "type=new"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000060; sid: 5000060; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected ip change"; content: "type=ip_change"; classtype: suspicious-traffic; program: arpalert; normalize: arp; reference: url,wiki.quadrantsec.com/bin/view/Main/5000061; sid: 5000061; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected ip change"; content: "type=ip_change"; classtype: suspicious-traffic; program: arpalert; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000061; sid: 5000061; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected new machine on the network [mac-new]"; content: "type=new_mac"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001079; sid: 5001079; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address flood"; content: "type=flood"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001080; sid: 5001080; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address blacklisted"; content: "type=black_listed"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001081; sid: 5001081; rev:2;) diff -Nru sagan-rules-10222015/artillery.rules sagan-rules-20160923/artillery.rules --- sagan-rules-10222015/artillery.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/artillery.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan artillery.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -45,7 +45,7 @@ # ftp_monitor.py # write_log("Artillery has blocked (blacklisted) the following IP for FTP brute forcing violations: " + ipaddress) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[ARTILLERY] FTP brute force violation"; content: "FTP brute forcing"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002081; reference: url,www.trustedsec.com/downloads/artillery; sid:5002081; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[ARTILLERY] FTP brute force violation"; content: "FTP brute forcing"; flowbits: set,brute_force&honeypot,21600; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002081; reference: url,www.trustedsec.com/downloads/artillery; sid:5002081; rev:5;) # harden.py # Issue identified: %s permissions are not set to root. If an attacker compromises the system and is running under the Apache user account, could view these files. Recommendation: Change the permission of %s to root:root. Command: chown root:root %s\n\n" % (filename,filename,filename) @@ -70,12 +70,12 @@ # honeypot.py # %s [!] Artillery has blocked (and blacklisted) the IP Address: %s for connecting to a honeypot restricted port: %s" % (now, ip, port) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport blocked/blacklisted address"; content: "honeypot restricted port"; content: "blocked"; parse_src_ip: 1; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002086; reference: url,www.trustedsec.com/downloads/artillery; sid:5002086; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport blocked/blacklisted address"; content: "honeypot restricted port"; content: "blocked"; parse_src_ip: 1; flowbits: set,honeypot,86400; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002086; reference: url,www.trustedsec.com/downloads/artillery; sid:5002086; rev:3;) # honeypot.py # %s [!] Artillery has detected an attack from IP address: %s for a connection on a honeypot port: %s" % (now, ip, port) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport attack detected"; content: "detected an attack"; content: "honeypot"; parse_src_ip: 1; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002087; reference: url,www.trustedsec.com/downloads/artillery; sid:5002087; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport attack detected"; content: "detected an attack"; content: "honeypot"; parse_src_ip: 1; flowbits: set,honeypot,86400; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002087; reference: url,www.trustedsec.com/downloads/artillery; sid:5002087; rev:2;) # monitor.py # output_file = "********************************** The following changes were detect at %s **********************************\n" % (datetime.datetime.now()) + output_file + "\n********************************** End of changes. **********************************\n\n" @@ -86,6 +86,6 @@ # ssh_monitor.py # alert = "Artillery has blocked (blacklisted) the following IP for SSH brute forcing violations: " + ipaddress -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[ARTILLERY] SSH brute force violation"; content: "SSH brute forcing violations"; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002089; reference: url,www.trustedsec.com/downloads/artillery; sid:5002089; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[ARTILLERY] SSH brute force violation"; content: "SSH brute forcing violations"; flowbits: set,brute_force&honeypot,86400; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002089; reference: url,www.trustedsec.com/downloads/artillery; sid:5002089; rev:2;) diff -Nru sagan-rules-10222015/asterisk.rules sagan-rules-20160923/asterisk.rules --- sagan-rules-10222015/asterisk.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/asterisk.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan asterisk.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,3 +33,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid extension] [0/5]"; content: "No matching peer found"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000181; threshold:type limit, track by_src, count 5, seconds 900; sid:5000181; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Invalid to address"; content: "Invalid to address"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5001065; sid: 5001065; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [5/5]"; content: "Wrong password"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002942; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002942; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [invalid user] [5/5]"; content: "Username/auth name mismatch"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002943; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002943; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [invalid extension] [5/5]"; content: "No matching peer found"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002944; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002944; rev:1;) + diff -Nru sagan-rules-10222015/attack.rules sagan-rules-20160923/attack.rules --- sagan-rules-10222015/attack.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/attack.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan attack.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/barracuda.rules sagan-rules-20160923/barracuda.rules --- sagan-rules-10222015/barracuda.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/barracuda.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,58 @@ +# Sagan barracuda.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Barracuda rules by Corey Fisher - 02/17/2016 + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Last Auto Backup Time Changed"; content: "CHANGE last_auto_backup_time"; content: "debug|8f"; program: web; reference: url,wiki.quadrantsec.com/bin/view/Main/5002782; classtype: system-event; sid:5002782; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Spyware Exploit"; content: "Spyware.Exploit.Misc.MD"; content: "pcaptor"; program: pcaptor; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002783; classtype: suspicious-traffic; sid:5002783; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] AdWare Win32 Agent"; content: "AdWare.Win32.Agent.bjx"; content: "pcaptor"; program: pcaptor; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002784; classtype: suspicious-traffic; sid:5002784; rev:2;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[Barracuda] Login"; content: "LOGIN"; content: !"FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002785; classtype: system-event; sid:5002785; rev:2;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[Barracuda] Failed Login"; content: "FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002786; classtype: unsuccessful-admin; sid:5002786; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[Barracuda] Brute force login attempt [5/5]"; content: "FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002945; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; classtype: unsuccessful-admin; sid:5002945; rev:3;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Spyware Filter Change"; content: "spy_exempted"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002787; classtype: system-event; sid:5002787; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Snort Enabled"; content: "snort_enabled"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002788; classtype: system-event; sid:5002788; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Ipoque Enabled"; content: "ipoque_enabled"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002789; classtype: system-event; sid:5002789; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Failed Login Log Change"; content: "failed_login"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002790; classtype: system-event; sid:5002790; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Change to URL Whitelist"; content: "spy_url_whitelist"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002791; classtype: system-event; sid:5002791; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Change to URL Blacklist"; content: "spy_url_blacklist"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002792; classtype: system-event; sid:5002792; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Policy Block Change"; content: "policy_block"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002793; classtype: system-event; sid:5002793; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] User Password Changed"; content: "user_password"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002794; classtype: system-event; sid:5002794; rev:2;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] System Password Changed"; content: "system_password"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002795; classtype: system-event; sid:5002795; rev:2;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] System Shutdown"; content: "set_set_shutdown"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002796; classtype: system-event; sid:5002796; rev:2;) diff -Nru sagan-rules-10222015/bash.rules sagan-rules-20160923/bash.rules --- sagan-rules-10222015/bash.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bash.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bash.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -85,15 +85,15 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] stunnel execution"; content:"HISTORY"; content:"stunnel"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002323; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH agent forwarding"; content:"HISTORY"; content:"ssh"; content:"-A"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002324; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH dynamic forwarding"; content:"HISTORY"; content:"ssh"; content:"-D"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002325; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH GSSAPI forwarding"; content:"HISTORY"; content:"ssh"; content:"-K"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002326; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH local forwarding"; content:"HISTORY"; content:"ssh"; content:"-L"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002327; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH remote forwarding"; content:"HISTORY"; content:"ssh"; content:"-R"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002328; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH input and output forwarding"; content:"HISTORY"; content:"ssh"; content:"-W"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002329; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH tunnel forwarding"; content:"HISTORY"; content:"ssh"; content:"-w"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002330; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 forwarding"; content:"HISTORY"; content:"ssh"; content:"-X"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002331; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 trusted forwarding"; content:"HISTORY"; content:"ssh"; content:"-Y"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002332; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH agent forwarding"; content:"HISTORY"; content:"ssh"; content:"-A "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002324; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH dynamic forwarding"; content:"HISTORY"; content:"ssh"; content:"-D "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002325; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH GSSAPI forwarding"; content:"HISTORY"; content:"ssh"; content:"-K "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002326; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH local forwarding"; content:"HISTORY"; content:"ssh"; content:"-L "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002327; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH remote forwarding"; content:"HISTORY"; content:"ssh"; content:"-R "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002328; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH input and output forwarding"; content:"HISTORY"; content:"ssh"; content:"-W "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002329; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH tunnel forwarding"; content:"HISTORY"; content:"ssh"; content:"-w "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002330; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 forwarding"; content:"HISTORY"; content:"ssh"; content:"-X "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002331; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 trusted forwarding"; content:"HISTORY"; content:"ssh"; content:"-Y "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_PRELOAD environment variable access"; content:"HISTORY"; content:"LD_PRELOAD"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002333; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_LIBRARY_PATH environment variable access"; content:"HISTORY"; content:"LD_LIBRARY_PATH"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002334; rev:1;) diff -Nru sagan-rules-10222015/bind.rules sagan-rules-20160923/bind.rules --- sagan-rules-10222015/bind.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bind.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bind.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,9 +29,9 @@ drop udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Denied zone transfer attempt"; content: "denied AXFR from"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000102; sid:5000102; rev:6;) drop udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] DNS update denied"; pcre: "/denied update from|unapproved update from/"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000103; sid:5000103; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Log permission misconfiguration"; content: "unable to rename log file"; classtype: program-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000104; sid:5000104; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Unexpected error [RCODE] while resolving domain"; content: "unexpected RCODE"; classtype: suspicious-traffic; program: named; normalize: dns; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000164; sid:5000164; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Unexpected error [RCODE] while resolving domain"; content: "unexpected RCODE"; classtype: suspicious-traffic; program: named; normalize; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000164; sid:5000164; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Refused notify from non-master"; content: "refused notify from non-master"; parse_port; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000105; sid:5000105; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] DNS update using RFC2136 Dynamic protocol denied"; pcre: "/update \S+ denied/"; classtype: suspicious-traffic; program: named; normalize: dns; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000106; sid:5000106; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] DNS update using RFC2136 Dynamic protocol denied"; pcre: "/update \S+ denied/"; classtype: suspicious-traffic; program: named; normalize; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000106; sid:5000106; rev:6;) #alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Query cache denied"; content: "query"; content: "cache"; content: "denied"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000107; sid:5000107; rev:7;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Named fatal error. DNS service is going down"; content: "exiting"; content: "due to fatal error"; classtype: program-error; program: named; reference: url,wiki.quadrantsec.com/bin/view/Main/5000108; sid:5000108; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Serial number from master is lower than stored"; pcre: "/^zone \S+ serial number \S+ received from master \S+ \S ours/"; classtype: configuration-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000109; sid:5000109; rev: 5;) diff -Nru sagan-rules-10222015/bit9.rules sagan-rules-20160923/bit9.rules --- sagan-rules-10222015/bit9.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/bit9.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,68 @@ +# Sagan bit9.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +# Bit9 rules by "Corey Fisher" +# 07/26/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent blocked an attempt to create file"; content: "Bit9 Agent blocked an attempt to create"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002928; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent blocked an attempt to delete file"; content: "Bit9 Agent blocked an attempt to delete"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002929; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Permission change was blocked"; content: "Permission change on"; content: "was blocked"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002930; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Modification of registry was blocked"; content: "of registry"; content: "was blocked because of tamper protection"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002931; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent failed a health check"; content: "Bit9 Agent failed a health check"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002932; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] File was identified by Bit9 Software Reputation Service as a potential risk"; content: "Bit9 Software Reputation Service as a potential risk"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002933; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Server detected revocation of certificate"; content: "Server detected revocation of certificate"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002934; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent detected a problem"; content: "Bit9 Agent detected a problem"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002935; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Exclusive access to a file was blocked because of tamper protection"; content: "Exclusive access to"; content: "was blocked because of tamper protection"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002936; rev:1;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent had to rebuild its primary database cache and now has to re-initialize"; content: "Bit9 Agent had to rebuild its primary database cache and now has to re-initialize"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002937; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Computer failed to receive Notifier Logo"; content: "Computer failed to receive Notifier Logo"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002938; rev:1;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Bit9 Agent had to restore its primary database cache"; content: "Bit9 Agent had to restore its primary database cache"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002939; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Non-System Filemods to system32"; content: "Carbon Black process watchlist |27|Non-System Filemods to system32|27|"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002921; rev:1;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Newly Loaded Modules"; content: "Carbon Black binary watchlist |27|Newly Loaded Modules|27|"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002922; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] A new device was mounted"; content: "A new device"; content: "was mounted as drive"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002923; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] File was executed for the first time"; content: "File"; content: "was executed for the first time"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002924; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Computer reported that signature on file is invalid"; content: "reported that signature on file"; content: "is invalid"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002925; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Server discovered new certificate"; content: "Server discovered new certificate"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002926; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIT9] Disk configuration change detected"; content: "Disk configuration change detected"; content: "Bit9 event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002927; rev:1;) + diff -Nru sagan-rules-10222015/blacklist.rules sagan-rules-20160923/blacklist.rules --- sagan-rules-10222015/blacklist.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/blacklist.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -26,5 +26,5 @@ # These are CATCH ALL rules. This means it will parse _all_ logs. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLACKLIST] Suspicious communications detected via Blacklist"; blacklist: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002271; sid: 5002271; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLACKLIST] Suspicious communications detected via Blacklist"; blacklist: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002271; sid: 5002271; rev:2;) diff -Nru sagan-rules-10222015/bluedot-catagories.conf sagan-rules-20160923/bluedot-catagories.conf --- sagan-rules-10222015/bluedot-catagories.conf 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bluedot-catagories.conf 2016-09-21 02:52:28.000000000 +0000 @@ -2,5 +2,7 @@ 1 || Whitelisted 2 || Client 3 || Malicious +4 || Honeypot 7 || Advisory +8 || Scanners 9 || Tor diff -Nru sagan-rules-10222015/bluedot.rules sagan-rules-20160923/bluedot.rules --- sagan-rules-10222015/bluedot.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bluedot.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -26,5 +26,7 @@ # These are CATCH ALL rules. This means it will parse _all_ logs. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious IP detected via Bluedot"; bluedot: reputation, all, $BLUEDOT_NETWORK; content:!"drop"; nocase; content:!"denied"; nocase; content:!"deny"; nocase; content:!"qipapikey"; classtype: suspicious-traffic; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 2, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5002288; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious IP detected via Bluedot"; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious, Tor; content:!"drop"; nocase; content:!"denied"; nocase; content:!"deny"; nocase; content:!"qipapikey"; classtype: suspicious-traffic; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 2, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5002288; rev:5;) + +#alert udp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"[ScreenOS] Juniper ScreenOS Admin Login From a Malicious IP"; content:"has logged on via"; content "00515"; bluedot: reputation, all, $BLUEDOT_NETWORK; parse_src_ip: 1; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; classtype:successful-admin; sid: 5002774; rev:1;) diff -Nru sagan-rules-10222015/bonding.rules sagan-rules-20160923/bonding.rules --- sagan-rules-10222015/bonding.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bonding.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bonding.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/bro-bluedot.rules sagan-rules-20160923/bro-bluedot.rules --- sagan-rules-10222015/bro-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/bro-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,27 @@ +# Sagan bro-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious file hash detected"; content: " files: "; bluedot: type: file_hash, Malicious; classtype: suspicious-traffic; normalize: bro; parse_proto; reference: url,wiki.quadrantsec.com/bin/view/Main/5002940; sid:5002940; rev:1;) diff -Nru sagan-rules-10222015/bro-ids.rules sagan-rules-20160923/bro-ids.rules --- sagan-rules-10222015/bro-ids.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bro-ids.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bro-ids.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -51,7 +51,7 @@ # Robert Nunley & Champ Clark - 06/10/2014 -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 120; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 120; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:4;) # Note: You will need licensing to use the Team Cymru Malware Hash Registry for corporate use. See http://www.team-cymru.org/Services/MHR/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] TeamCymruMalwareHashRegistry Match"; content: "TeamCymruMalwareHashRegistry|3a 3a|Match"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,www.team-cymru.org/Services/MHR/; classtype: trojan-activity; sid: 5002064; rev:2;) @@ -60,7 +60,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] HTTP SQL_Injection_Attacker"; content: "HTTP|3a 3a|SQL_Injection_Attacker"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,wiki.quadrantsec.com/bin/view/Main/5002065; classtype: web-application-attack; sid: 5002065; rev:2;) #alert tcp $EXTERNAL_NET any -> $HTTP_PORT any (msg: "[BRO] HTTP SQL_Injection_Victim"; content: "HTTP|3a 3a|SQL_Injection_Victim"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002066; classtype: web-application-attack; sid: 5002066; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; classtype: successful-user; sid: 5002067; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; classtype: successful-user; sid: 5002067; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Watched_Country_Login"; content: "SSH|3a 3a|Watched_Country_Login"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002068; classtype: successful-user; sid: 5002068; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5]"; content: "SSL|3a 3a|Invalid_Server_Cert"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002069; classtype: suspicious-traffic; sid: 5002069; rev:4;) @@ -89,3 +89,15 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Sidejacking attach detected"; content: "Sidejacking"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002073; reference: url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro; sid: 5002073; rev:2;) + +# This rule detect internal (rfc1918) systems port scanning, but ignores everything else! + + +# Example log: + +#1459283371.705967 - - - - - - - - - Scan::Port_Scan 10.1.0.34 scanned at least 15 unique ports of host 10.1.0.4 in 0m2s local 10.1.0.34 10.1.0.4 - - bro Notice::ACTION_LOG 3600.000000 F - - - - - + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] RFC1918 address scanning the network"; content: "Scan|3a 3a|Port_Scan"; pcre:"/((192)\.(168)\.(\d+)\.(\d+)|(10)\.(\d+)\.(\d+)\.(\d+)|(172)\.(1[6,7,8,9])\.(\d+)\.(\d+)|(172)\.(2[0,1,2,3,4,5,6,7,8,9])\.(\d+)\.(\d+)|(172)\.(3[0,1])\.(\d+)\.(\d+)) scanned at least \d+ unique ports/smi"; program: bro; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,recon,86400; classtype: attempted-recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5002798; sid:5002798; rev:3;) + + + diff -Nru sagan-rules-10222015/bro-intel.rules sagan-rules-20160923/bro-intel.rules --- sagan-rules-10222015/bro-intel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bro-intel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan bro-intel.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -26,5 +26,5 @@ # These are CATCH ALL rules. This means it will parse _all_ logs. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO-INTEL] Suspicious communications detected via Bro-Intel"; bro-intel: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002270; sid: 5002270; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO-INTEL] Suspicious communications detected via Bro-Intel"; bro-intel: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002270; sid: 5002270; rev:2;) diff -Nru sagan-rules-10222015/bro-normalize.rulebase sagan-rules-20160923/bro-normalize.rulebase --- sagan-rules-10222015/bro-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/bro-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -# Sagan bro-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -# This is a "custom" bro output Sagan uses for file hashes from Bro. - -rule=: files: %-:word% %-:word% %src-ip:ipv4% %dst-ip:ipv4% %-:word% %-:word% %-:number% %-:word% %mime-type:word% %-:word% %-:word% %-:word% %-:word% %-:number% %-:number% %-:number% %-:number% %-:word% %-:word% %filehash-md5:word% %filehash-sha1:word% %filehash-sha256:word% %-:rest% diff -Nru sagan-rules-10222015/cacti-thold.rules sagan-rules-20160923/cacti-thold.rules --- sagan-rules-10222015/cacti-thold.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cacti-thold.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cacti-thold.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ChangeLog sagan-rules-20160923/ChangeLog --- sagan-rules-10222015/ChangeLog 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/ChangeLog 2016-09-23 19:04:53.000000000 +0000 @@ -0,0 +1,81 @@ +09/23/2016 - Sagan rule release + + * Disabled many nfcapd.rules. These are low value rules + https://github.com/beave/sagan-rules/commit/00df337cefc41f84d53ab1e17a9a05c7c2f2e433 + + * Rules 500295[0123] fixed "any -> any" typo + https://github.com/beave/sagan-rules/commit/2aad0351efaf92b09a222f8afca7ea4a49c1ded2 + + * Removed "Tor" nfcapd-malware.rules. These are low value rules (better ways to catch Tor traffic) + https://github.com/beave/sagan-rules/commit/2a41f85b7b58b7c85c85fdfcb6dcee31dd1eb668 + + * Flowbit fix in sid 5002941 ([WINDOWS-MISC] Suspicious event logging service shut down) + https://github.com/beave/sagan-rules/commit/a6042fccbf8e74c13f36ae6ddcd0640399da69c1 + + * Modification of sid web-attack.rules 5001843 to ignore the word "Vegas" + https://github.com/beave/sagan-rules/commit/056d588034c4d029abdc825cece4cb9b46773c0b + + * Two new rules targetting Evtsys errors. Sid 5001185 changed to address evtsys issue. + https://github.com/beave/sagan-rules/commit/079e19f9f9dc300a879de51b1e2991b846f79e19 + +08/30/2016 - Sagan rule release + + * vsftp, proftp, pureftp and generic ftp rules for "ftpchk3". See https://blog.ftptoday.com/ftp-password-stealing-malware + https://github.com/beave/sagan-rules/commit/9f04bf22570801f4fa4f4f96ef561d95010d717e + https://github.com/beave/sagan-rules/commit/2a227378143ed10fb4db3696092ead39841a54d2 + + * Added "FTP|FTPD" to program field in ftpd.rules + https://github.com/beave/sagan-rules/commit/27e2d99ccdc69a99ce7b6b1899ce4e01ef27ab39 + + * Updated all Cisco ASA rules to take into account when Cisco "Emblem" is enabled + https://github.com/beave/sagan-rules/commit/83d4c122a25114fc716cac8dc9d2ed81ce2b61cb + https://github.com/beave/sagan-rules/commit/7e12112fa1abfffaffb94d45a17a068e5c1da128 + + * bit9.rules update to take into account "customer" program field. + https://github.com/beave/sagan-rules/commit/83d4c122a25114fc716cac8dc9d2ed81ce2b61cb + + * cisco-prime "recon" flowbit added to sid 5002175 + https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 + + * ngix.rules new brute force rule & "brute_force" flowbit added - 5002948 + https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 + + * oracle.rules new brute force rule & "brute_force" flowbit added - sid 5002949 + https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 + + * cisco-prime.rules clean up of invalid references. + https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 + + * ipop3d.rules new "brute_force" flowbit added - sid 5000032 + https://github.com/beave/sagan-rules/commit/8058562a727e9fa4dcad8639b062ae5555ec95c8 + + * New Big IP F5 rules (f5-big-ip.rules) + https://github.com/beave/sagan-rules/commit/6aa0e58eb1249cae31c2ea60a61bedd00e1cc390 + + * bash.rules changes to better detect certain command line options + https://github.com/beave/sagan-rules/commit/7e12112fa1abfffaffb94d45a17a068e5c1da128 + + * apache.rules new "brute_force" & "recon" flowbits added. + https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 + + * artillery.rules new "honeypot" & "flowbits" added. + https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 + + * barracuda.rules new brute force rules and flowbits + https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 + + * asterisk.rules new brute force & "brute_force" flowbits + https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 + + * Correaction in su.rules that could lead to false positives. + https://github.com/beave/sagan-rules/commit/22173a81ede60f166403b124a62cef4a82fb9616 + + * bro-ids.rules "brute_force" flowbit added. + https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 + + * Changes to widnows-geoip.rule to work around https://support.microsoft.com/en-us/kb/3097467 + https://github.com/beave/sagan-rules/commit/22173a81ede60f166403b124a62cef4a82fb9616 + + * windows-misc.rules added event 1100 detection. + https://github.com/beave/sagan-rules/commit/1458068d33082fe937c934130ef9d730199fe834 + diff -Nru sagan-rules-10222015/cisco-acs.rules sagan-rules-20160923/cisco-acs.rules --- sagan-rules-10222015/cisco-acs.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-acs.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-acs.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -34,10 +34,10 @@ # IP address. - Champ Clark (03/14/2013). # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt"; program: CSCOacs_Failed_Attempts; content: "UserName="; parse_src_ip: 3; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001655; sid: 5001655; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [5/5]"; program: CSCOacs_Failed_Attempts; content: "UserName="; content:!"session timed out"; parse_src_ip: 3; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001656; sid: 5001656; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [5/5]"; program: CSCOacs_Failed_Attempts; flowbits: set,brute_force,21600; content: "UserName="; content:!"session timed out"; parse_src_ip: 3; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001656; sid: 5001656; rev:6;) # 10.10.10.10|auth|info|info|26|2014-02-20|16:23:54|CisACS_02_FailedAuth| 79fa6rs6 1 0 Message-Type=Authen failed,User-Name=champtest,NAS-IP-Address=172.16.1.1,Authen-Failure-Code=ACS user unknown,Caller-ID=10.10.10.10,NAS-Port=58634240,Group-Name=Default Group, # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt [CisACS]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001975; sid: 5001975; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [CisACS] [5/5]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001976; sid: 5001976; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [CisACS] [5/5]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001976; sid: 5001976; rev:3;) diff -Nru sagan-rules-10222015/cisco-aetas.rules sagan-rules-20160923/cisco-aetas.rules --- sagan-rules-10222015/cisco-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,25 +25,25 @@ # # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN Login at suspicious time"; program: %ASA-6-716038; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002034; sid: 5002034; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN Login at suspicious time"; program: %ASA*-6-716038; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002034; sid: 5002034; rev: 2;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Console login at suspicious time"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002035; sid: 5002035; rev: 2;) -# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" +# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Login permitted at suspicious time"; program: %ASA-6-605005; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS;classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002036; sid: 5002036; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Login permitted at suspicious time"; program: %ASA*-6-605005; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS;classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002036; sid: 5002036; rev: 2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] WebVPN login at suspicious time"; program: %ASA-6-716001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002037; sid: 5002037; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] WebVPN login at suspicious time"; program: %ASA*-6-716001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002037; sid: 5002037; rev: 2;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN disconnect at suspicious time"; program: %ASA-4-113019; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002038; sid: 5002038; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN disconnect at suspicious time"; program: %ASA*-4-113019; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002038; sid: 5002038; rev: 2;) -# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy +# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN login at suspicious time"; program: %ASA-6-734001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002039; sid: 5002039; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN login at suspicious time"; program: %ASA*-6-734001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002039; sid: 5002039; rev: 2;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., diff -Nru sagan-rules-10222015/cisco-blacklist.rules sagan-rules-20160923/cisco-blacklist.rules --- sagan-rules-10222015/cisco-blacklist.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-blacklist.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,14 +27,14 @@ # For log examples, see cisco-geoip.rules. This is just rules: -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN Login from blacklisted IP"; program: %ASA-6-716038; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002240; sid: 5002240; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN Login from blacklisted IP"; program: %ASA*-6-716038; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002240; sid: 5002240; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Console login from blacklisted IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002241; sid: 5002241; rev: 2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Login permitted from blacklisted IP"; program: %ASA-6-605005; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002242; sid: 5002242; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] WebVPN login from blacklisted IP"; program: %ASA-6-716001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002243; sid: 5002243; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN disconnect from blacklisted IP"; program: %ASA-4-113019; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002244; sid: 5002244; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP"; program: %ASA-6-734001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002245; sid: 5002245; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Login permitted from blacklisted IP"; program: %ASA*-6-605005; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002242; sid: 5002242; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] WebVPN login from blacklisted IP"; program: %ASA*-6-716001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002243; sid: 5002243; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN disconnect from blacklisted IP"; program: %ASA*-4-113019; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002244; sid: 5002244; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP"; program: %ASA*-6-734001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002245; sid: 5002245; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] ACS Login success from blacklisted IP"; program: CisACS_01_PassedAuth; blacklist: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002246; sid: 5002246; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP [2]"; program: %ASA-6-722022|%ASA-6-722023; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002247; sid: 5002247; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA-6-303002; blacklist: by_src; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002248; sid: 5002248; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA-6-303002; blacklist: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002249; sid: 5002249; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP [2]"; program: %ASA*-6-722022|%ASA*-6-722023; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002247; sid: 5002247; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA*-6-303002; blacklist: by_src; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002248; sid: 5002248; rev: 2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA*-6-303002; blacklist: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002249; sid: 5002249; rev: 1;) diff -Nru sagan-rules-10222015/cisco-bluedot.rules sagan-rules-20160923/cisco-bluedot.rules --- sagan-rules-10222015/cisco-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/cisco-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,67 @@ +# Sagan cisco-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious TCP connection detected via Bluedot"; program: %ASA*-6-*; content: " TCP "; content:!" bytes 0 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious, Tor; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002868; sid: 5002868; rev:5;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious UDP connection detected via Bluedot"; program: %ASA*-6-*; content: " UDP "; content:!" bytes 0 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious, Tor; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002869; sid: 5002869; rev:5;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious ICMP connection detected via Bluedot"; program: %ASA*-6-*; content: " ICMP "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious, Tor; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002879; sid:5002879; rev:5;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious GRE connection detected via Bluedot"; program: %ASA*-6-*; content: " GRE "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious, Tor; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002880; sid:5002880; rev:5;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLUEDOT] VPN Login from suspicious source"; program: %ASA*-6-716038; bluedot: type ip_reputation, track all, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002870; sid:5002870; rev: 3;) + +# %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Console login from suspicious source"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002871; sid:5002871; rev: 3;) + +# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Login permitted from suspicious source"; program: %ASA*-6-605005; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002872; sid:5002872; rev: 2;) + +# WebVPN + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLUEDOT] VPN login from suspicious source"; program: %ASA*-6-716001|%ASA*-6-716038; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002873; sid:5002873; rev: 2;) + +# Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLUEDOT] VPN disconnect from suspicious source"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002874; sid:5002874; rev: 2;) + +# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLUEDOT] VPN/AnyConnect login from suspicious source"; program: %ASA*-6-734001; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002875; sid:5002875; rev: 2;) + +# Cisco ACS (via VPN) - authentication success +# 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., + +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] ACS Login success from suspicious source"; program: CisACS_01_PassedAuth; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002876; sid:5002876; rev: 2;) + +# 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA*-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression + +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN login from suspicious source [2]"; program: %ASA*-6-722022|%ASA*-6-722023; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002877; sid:5002877; rev: 2;) + +# 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA*-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile + +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] FTP file transfer from or to suspicious source"; program: %ASA*-6-303002; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002878; sid: 5002878; rev: 2;) + diff -Nru sagan-rules-10222015/cisco-brointel.rules sagan-rules-20160923/cisco-brointel.rules --- sagan-rules-10222015/cisco-brointel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-brointel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -26,14 +26,14 @@ # # For log examples, see cisco-geoip.rules. -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN Login from Bro Intel IP"; program: %ASA-6-716038; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002250; sid: 5002250; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN Login from Bro Intel IP"; program: %ASA*-6-716038; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002250; sid: 5002250; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Console login from Bro Intel IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002251 sid: 5002251; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Login permitted from Bro Intel IP"; program: %ASA-6-605005; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002252; sid: 5002252; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] WebVPN login from Bro Intel IP"; program: %ASA-6-716001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002253; sid: 5002253; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN disconnect from Bro Intel IP"; program: %ASA-4-113019; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002254; sid: 5002254; rev: 1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP"; program: %ASA-6-734001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002255; sid: 5002255; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Login permitted from Bro Intel IP"; program: %ASA*-6-605005; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002252; sid: 5002252; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] WebVPN login from Bro Intel IP"; program: %ASA*-6-716001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002253; sid: 5002253; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN disconnect from Bro Intel IP"; program: %ASA*-4-113019; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002254; sid: 5002254; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP"; program: %ASA*-6-734001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002255; sid: 5002255; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] ACS Login success from Bro Intel IP"; program: CisACS_01_PassedAuth; bro-intel: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002256; sid: 5002256; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP [2]"; program: %ASA-6-722022|%ASA-6-722023; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002257; sid: 5002257; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA-6-303002; bro-intel: by_src; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002258; sid: 5002258; rev: 1;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA-6-303002; bro-intel: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002259; sid: 5002259; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP [2]"; program: %ASA*-6-722022|%ASA*-6-722023; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002257; sid: 5002257; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA*-6-303002; bro-intel: by_src; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002258; sid: 5002258; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA*-6-303002; bro-intel: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002259; sid: 5002259; rev: 1;) diff -Nru sagan-rules-10222015/cisco-correlated.rules sagan-rules-20160923/cisco-correlated.rules --- sagan-rules-10222015/cisco-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -26,14 +26,14 @@ # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after suspicious activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002360; sid:5002360; rev: 3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after suspicious activity"; program: %ASA-6-605005; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002361; sid:5002361; rev: 3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA-6-716001|%ASA-6-716038; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002362; sid:5002362; rev: 3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN disconnect after suspicious activity"; program: %ASA-4-113019|%ASA-6-716002|%ASA-6-721018; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002363; sid:5002363; rev: 3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA-6-734001; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002364; sid:5002364; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after suspicious activity"; program: %ASA*-6-605005; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002361; sid:5002361; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA*-6-716001|%ASA*-6-716038; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002362; sid:5002362; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN disconnect after suspicious activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002363; sid:5002363; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA*-6-734001; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002364; sid:5002364; rev: 3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after suspicious activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002365; sid:5002365; rev: 3;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity [2]"; program: %ASA-6-722022|%ASA-6-722023; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002366; sid:5002366; rev: 3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity [2]"; program: %ASA*-6-722022|%ASA*-6-722023; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002366; sid:5002366; rev: 3;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity"; program: %ASA-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002367; sid:5002367; rev: 3;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity [2]"; program: %ASA-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002368; sid:5002368; rev: 3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity"; program: %ASA*-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002367; sid:5002367; rev: 4;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity [2]"; program: %ASA*-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002368; sid:5002368; rev: 4;) diff -Nru sagan-rules-10222015/cisco-cucm.rules sagan-rules-20160923/cisco-cucm.rules --- sagan-rules-10222015/cisco-cucm.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-cucm.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-cucm.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/cisco-geoip.rules sagan-rules-20160923/cisco-geoip.rules --- sagan-rules-10222015/cisco-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,43 +25,43 @@ # # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN Login from outside HOME_COUNTRY"; program: %ASA-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001868; sid: 5001868; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN Login from outside HOME_COUNTRY"; program: %ASA*-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001868; sid: 5001868; rev: 1;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Console login from outside HOME_COUNTRY"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001869; sid: 5001869; rev: 1;) -# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" +# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Login permitted from outside HOME_COUNTRY"; program: %ASA-6-605005; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001879; sid: 5001879; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Login permitted from outside HOME_COUNTRY"; program: %ASA*-6-605005; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001879; sid: 5001879; rev: 1;) # WebVPN from outside HOME_COUNTRY -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA-6-716001|%ASA-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001950; sid: 5001950; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA*-6-716001|%ASA*-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001950; sid: 5001950; rev: 2;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY"; program: %ASA-4-113019|%ASA-6-716002|%ASA-6-721018; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001962; sid: 5001962; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001962; sid: 5001962; rev: 1;) -# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy +# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA-6-734001; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001964; sid: 5001964; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA*-6-734001; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001964; sid: 5001964; rev: 1;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] ACS Login success from outside HOME_COUNTRY"; program: CisACS_01_PassedAuth; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001977; sid: 5001977; rev: 1;) -# 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression +# 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA*-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2]"; program: %ASA-6-722022|%ASA-6-722023; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002058; sid: 5002058; rev: 1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2]"; program: %ASA*-6-722022|%ASA*-6-722023; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002058; sid: 5002058; rev: 1;) -# 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile +# 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA*-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile # Track by source -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA-6-303002; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002059; sid: 5002059; rev: 4;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA*-6-303002; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002059; sid: 5002059; rev: 5;) # Track by dest -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA-6-303002; country_code: track by_dst, isnot $HOME_COUNTRY; classtype: successful-user; normalize: cisco; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002060; sid: 5002060; rev: 3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer to outside HOME_COUNTRY"; program: %ASA*-6-303002; country_code: track by_dst, isnot $HOME_COUNTRY; classtype: successful-user; normalize; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002060; sid: 5002060; rev: 5;) diff -Nru sagan-rules-10222015/cisco-ios.rules sagan-rules-20160923/cisco-ios.rules --- sagan-rules-10222015/cisco-ios.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-ios.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-ios.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -32,8 +32,8 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; parse_src_ip: 1; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000055; sid: 5000055; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000111; sid:5000111; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000112; sid:5000112; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:1;) -drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:2;) +drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; flowbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:10;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating [0/2]"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000388; sid:5000388; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported [0/2]"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001198; sid:5001198; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid:5001199; rev:1;) @@ -85,13 +85,13 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001625; sid: 5001625; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; flowbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:7;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001626; sid: 5001626; rev:2;) # %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924] #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001668; sid: 5001668; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; flowbits: set,brute_force,21600; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:6;) # %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926] diff -Nru sagan-rules-10222015/cisco-malware.rules sagan-rules-20160923/cisco-malware.rules --- sagan-rules-10222015/cisco-malware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-malware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-malware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,23 +28,23 @@ # Added by Champ Clark - # These rules trigger if you are dropping (denying) traffic to zeroaccess already. -alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16464 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001724; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001724; rev: 6;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16465 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001725; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001725; rev: 6;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16470 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001726; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001726; rev: 6;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16471 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001727; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001727; rev: 6;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16464 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001724; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001724; rev: 6;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16465 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001725; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001725; rev: 6;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16470 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001726; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001726; rev: 6;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16471 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001727; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001727; rev: 6;) # Older TCP port 13620 (pre-Q2 2012) -alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/13620 by access-group"; content: "Deny tcp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001790; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001790; rev: 7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/13620 by access-group"; content: "Deny tcp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001790; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001790; rev: 7;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16464 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001858; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001858; rev: 3;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16465 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001859; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001859; rev: 3;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001860; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001860; rev: 3;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001861; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001861; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16464 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001858; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001858; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16465 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001859; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001859; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001860; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001860; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001861; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001861; rev: 3;) # Older TCP port 13620 (pre-Q2 2012) -alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5]"; program: %ASA-6-302013|%PIX-6-302013; content: "/13620 "; content: "outbound TCP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001862; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001862; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5]"; program: %ASA*-6-302013|%PIX-6-302013; content: "/13620 "; content: "outbound TCP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001862; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001862; rev: 3;) # 10.20.1.7|local7|info|info|be|2014-02-19|20:25:11|344306| Feb 19 15:25:11.570: %SEC-6-IPACCESSLOGP: list control_outbound denied tcp 10.3.2.3(4343) -> 10.99.0.7(50122), 2 packets diff -Nru sagan-rules-10222015/cisco-normalize.rulebase sagan-rules-20160923/cisco-normalize.rulebase --- sagan-rules-10222015/cisco-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,135 +0,0 @@ -# Sagan cisco-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -# -# 1w3d: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 192.168.0.1 - -rule=: %uptime:word% %authfail:word% Authentication failure for SNMP req from host %src-ip:ipv4% - -# Dec 26 19:59:26: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.1.128.27 - -rule=: %month:word% %day:word% %hour:word% %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% - -# Access denied URL http://www.example.com/somethings.txt SRC 192.168.0.1 DEST 10.10.10.10 on interface inside - -rule=: Access denied URL %url:word% SRC %src-ip:ipv4% DEST %dst-ip:ipv4% %-:rest% - -# Caused by WebVPN or IPSec -# AAA user authentication Successful : server = 10.10.10.10 : user = domain\bob - -rule=: AAA user authentication Successful : server = %ip-src:ipv4% : user = %username:word% -rule=: AAA user authentication Rejected : reason = AAA failure : server = %src-ip:ipv4% : user = %username:word% - -# User authentication failed: Uname: timothy - -rule=: User authentication failed: Uname: %username:word% - -# Space at the end of this line! -# %ASA-6-315011: SSH session from 192.168.0.1 on interface Outside2 for user "test" disconnected by SSH server, reason: "Internal error" (0x00) -# SSH session from 10.20.10.200 on interface Outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00) - -rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% -rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% - -rule=: Configured from console by %-:word% (%src-ip:ipv4%) -rule=: Authentication failure for %proto:word% req from host %src-ip:ipv4% -rule=: Attempted to connect to %username:word% from %src-ip:ipv4% - -# 02:19:47.007 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.10.10.10 -# -rule=: %-:word% %-:word% %-:word% %-:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% - -# Deny TCP (no connection) from perforce/139 to 192.168.73.1/2048 flags RST ACK on interface INSIDE -# -rule=: Deny %proto:word% (no connection) from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% flags %-:rest% - -# Mar 31 02:30:42.815 UTC: %SYS-5-CONFIG_I: Configured from console by sachen on vty0 (10.32.23.63) -# -rule=: %-:word% %-:word% %-:word% %-:word% %%SYS-5-CONFIG_I: Configured from console by %username:word% on %-:word% (%src-ip:ipv4%) - -# Deny inbound UDP from 46.161.166.49/63905 to 214.20.10.211/65257 on interface OUTSIDE -# -rule=: Deny inbound UDP from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% %-:rest% - -# Denied ICMP type=8, code=0 from 159.101.118.111 on interface INSIDE -# -rule=: Denied ICMP type=%-:number%, code=%-:number% from %src-ip:ipv4% %-:rest% - -# These cover a lot of WebVPN, etc rules. -# -# Group User IP <10.10.10.10> WebVPN session terminated: User Requested. -# Group User IP <10.10.10.10> WebVPN session terminated: Idle Timeout. -# Group User IP <10.10.10.10> SVC closing connection: Transport closing. -# Group User IP <10.10.10.10> SVC Message: 17/ERROR: Reconnecting to recover from error.. -# -rule=: Group <%-:char-to:\x3e%> User <%username:char-to:\x3e%> IP <%src-ip:char-to:\x3e%> %-:rest% - -# Teardown UDP connection 31929471 for inside:10.10.10.10/1111 to dmz:239.254.0.4/12224 duration 0:00:00 bytes 0 -# Teardown TCP connection 1829067148 for outside:10.10.10.10/443 to inside:192.168.1.1/10830 duration 0:03:04 bytes 8699 TCP FINs" - -rule=: Teardown %proto:word% connection %connection:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% - -# Teardown ICMP connection for faddr 10.10.10.10/0 gaddr 192.168.1.1/10000 laddr 192.168.1.1/100001 - -rule=: Teardown %proto:word% connection for %-:word% %src-ip:ipv4%/%src-port:number% %-:word% %dst-ip:ipv4%/28694 %-:rest% - -# access-list inside_egress permitted tcp inside/10.10.10.1(10000) -> outside/192.186.1.1(80) hit-cnt 1 first hit [0xf83f456b, 0x0] - -rule=: access-list %-:word% permitted %proto:word% %-:char-to:\x2f%/%src-ip:ipv4%(%src-port:number%) -> %-:char-to:\x2f%/%dst-ip:ipv4%(%dst-port:number%) %-:rest% - -# Built inbound TCP connection 3171137 for outside:10.10.10.10/10000 (10.10.10.10/10000)(DOMAIN\Bob) to inside:192.168.1.10/80 (192.168.1.1/80) (Bob) - -rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% (%-:ipv4%/58521)(%domain:char-to:\x5c%\%username:char-to:\x29%) to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% - -# Built inbound TCP connection 1834111354 for outside:10.10.10.10/28490 (10.10.10.10/28490) to dmz:192.168.1.1/80 (192.168.1.1/80) - -rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% %-:word% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% - -# Group = Employee, Username = bob, IP = 10.10.10.10, Error processing payload: Payload ID: 14 - -rule=: Group = %-:word%, Username = %username:word%, IP = %src-ip:ipv4%, %-:rest% -rule=: Group = %-:char-to:\x2c%, Username = %username:char-to:\x2c%, IP = %src-ip:ipv4%, %-:rest% - - -# FTP connection from inside:10.10.1.1/3789 to outside:12.12.12.12/21, user bob Retrieved file somefile.txt - -rule=: FTP connection from %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%, user %username:word% %-:rest% - -# TCP access denied by ACL from 10.10.10.10/28490 to inside:192.168.1.1/80 - -rule =: TCP access denied by ACL from %src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% - -# Teardown TCP connection 361112504 for outside:10.10.1.100/61160(LOCAL\Bob) to inside:12.159.2.124/443 duration 0:00:13 bytes 3216 TCP FINs (Bob) - -rule=: Teardown %proto:word% connection %-:number% for outside:%src-ip:ipv4%/%src-port:number%%-:word% to inside:%dst-ip:ipv4%/%dst-port:number% %-:rest% - -# Cisco ACS normalization - -rule=: %-:word% %-:number% %-:number% %-:word% %-:word% %-:word% %-:word% %-:word% NOTICE Failed-Attempt: Authentication failed, ACSVersion=%-:word% ConfigVersionId=%-:word% Device IP Address=%src-ip:char-to:\x2c%, Device Port=%src-port:char-to:\x2c%, UserName=%username:char-to:\x2c%, Protocol=%-:word% RequestLatency=%-:word% NetworkDeviceName=%-:word% Type=Authentication, Action=Login, Privilege-Level=%-:word% Authen-Type=%-:word% Service=Login, User=%-:word% Port=%-:word% Remote-Address=%dst-ip:char-to:\x2c%, %-:rest% diff -Nru sagan-rules-10222015/cisco-pixasa.rules sagan-rules-20160923/cisco-pixasa.rules --- sagan-rules-10222015/cisco-pixasa.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-pixasa.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-pixasa.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,468 +27,468 @@ # Iman Khosravi updated many of these rules to support the Cisco FWSM (firewall service modules). # 06/25/2012. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize 4GE SSM I/O card"; program: %ASA-1-114001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000416; sid: 5000416; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card"; program: %ASA-1-114002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000417; sid: 5000417; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card"; program: %ASA-1-114003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000418; sid: 5000418; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function"; program: %ASA-1-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000419; sid: 5000419; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED"; program: %ASA-2-113022|%FWSM-2-113022; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000420; sid: 5000420; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in - function message"; program: %ASA-2-216001|%FWSM-2-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000421; sid: 5000421; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance"; program: %ASA-2-716500; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000422; sid: 5000422; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance"; program: %ASA-2-716501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000423; sid: 5000423; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena"; program: %ASA-2-716502|%FWSM-2-716502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000424; sid: 5000424; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool"; program: %ASA-2-716503; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000425; sid: 5000425; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool"; program: %ASA-2-716504; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000426; sid: 5000426; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state"; program: %ASA-2-716505; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000427; sid: 5000427; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating"; program: %ASA-2-716507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000428; sid: 5000428; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating"; program: %ASA-2-716508; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000429; sid: 5000429; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating"; program: %ASA-2-716509; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000430; sid: 5000430; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating"; program: %ASA-2-716510; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000431; sid: 5000431; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else"; program: %ASA-2-716512; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000432; sid: 5000432; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel"; program: %ASA-2-716513; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000433; sid: 5000433; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance"; program: %ASA-2-716515; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000434; sid: 5000434; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating"; program: %ASA-2-716516|%FWSM-2-716516; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000435; sid: 5000435; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena"; program: %ASA-2-716517|%FWSM-2-716517; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000436; sid: 5000436; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena"; program: %ASA-2-716518|%FWSM-2-716518; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000437; sid: 5000437; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating"; program: %ASA-2-716519|%FWSM-2-716519; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000438; sid: 5000438; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no block list"; program: %ASA-2-716520|%FWSM-2-716520; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000439; sid: 5000439; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool"; program: %ASA-2-716521|%FWSM-2-716521; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000440; sid: 5000440; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block"; program: %ASA-2-716522|%FWSM-2-716522; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000441; sid: 5000441; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL"; program: %ASA-2-716526|%FWSM-2-716526; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000442; sid: 5000442; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL"; program: %ASA-2-716527|%FWSM-2-716527; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000443; sid: 5000443; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition"; program: %ASA-2-716528|%FWSM-2-716528; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000444; sid: 5000444; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card"; program: %ASA-3-114006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000445; sid: 5000445; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card"; program: %ASA-3-114007; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000446; sid: 5000446; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card"; program: %ASA-3-114008; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000447; sid: 5000447; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card"; program: %ASA-3-114009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000448; sid: 5000448; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card"; program: %ASA-3-114010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000449; sid: 5000449; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card"; program: %ASA-3-114011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000450; sid: 5000450; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card"; program: %ASA-3-114012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000451; sid: 5000451; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card"; program: %ASA-3-114013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000452; sid: 5000452; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card"; program: %ASA-3-114014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000453; sid: 5000453; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card"; program: %ASA-3-114015; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000454; sid: 5000454; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card"; program: %ASA-3-114016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000455; sid: 5000455; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card"; program: %ASA-3-114017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000456; sid: 5000456; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card"; program: %ASA-3-114018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000457; sid: 5000457; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card"; program: %ASA-3-114019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000458; sid: 5000458; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function message"; program: %ASA-3-216001|%FWSM-3-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000459; sid: 5000459; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] I2C_API_name error"; program: %ASA-3-219002|%FWSM-3-219002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000460; sid: 5000460; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPN Handle error protocol"; program: %ASA-3-316002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000461; sid: 5000461; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot experienced a control channel communications failure"; program: %ASA-3-323001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000462; sid: 5000462; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use"; program: %ASA-3-323004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000463; sid: 5000463; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot can not be powered on completely"; program: %ASA-3-323005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000464; sid: 5000464; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN"; program: %ASA-3-323006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000465; sid: 5000465; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1]"; program: %ASA-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000466; sid: 5000466; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2]"; program: %ASA-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000467; sid: 5000467; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed"; program: %ASA-3-421001|%FWSM-3-421001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000468; sid: 5000468; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed"; program: %ASA-3-421007|%FWSM-3-421007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000469; sid: 5000469; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication to SSO server failed"; program: %ASA-3-716056|%FWSM-3-716056; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000470; sid: 5000470; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error"; program: %ASA-3-719002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000471; sid: 5000471; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [1]"; program: %ASA-3-722007|%FWSM-3-722007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000472; sid: 5000472; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [2]"; program: %ASA-3-722008|%FWSM-3-722008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000473; sid: 5000473; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [3]"; program: %ASA-3-722009|%FWSM-3-722009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000474; sid: 5000474; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to shut down. Module Error"; program: %ASA-4-413001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000475; sid: 5000475; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to reload. Module Error"; program: %ASA-4-413002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000476; sid: 5000476; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Trying again"; program: %ASA-4-413004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000477; sid: 5000477; rev: 2;) -#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS requested to drop ICMP packets"; program: %ASA-4-420002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000478; sid: 5000478; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt"; program: %ASA-4-423001|%FWSM-4-423001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000479; sid: 5000479; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt"; program: %ASA-4-423002|%FWSM-4-423002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000480; sid: 5000480; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt"; program: %ASA-4-423003|%FWSM-4-423003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000481; sid: 5000481; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt"; program: %ASA-4-423004|%FWSM-4-423004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000482; sid: 5000482; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt"; program: %ASA-4-423005|%FWSM-4-423005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000483; sid: 5000483; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state"; program: %ASA-4-424001|%FWSM-4-424001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000484; sid: 5000484; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection to the backup interface is denied"; program: %ASA-4-424002|%FWSM-4-424002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000485; sid: 5000485; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic, licensed host limit exceeded."; program: %ASA-4-450001|%FWSM-4-450001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000486; sid: 5000486; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Received DH key with bad length"; program: %ASA-4-713240|%FWSM-4-713240; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000487; sid: 5000487; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI"; program: %ASA-4-713247; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000488; sid: 5000488; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Received authentication failure message"; program: %ASA-4-713251|%FWSM-4-713251; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000489; sid: 5000489; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager"; program: %ASA-4-720001|%FWSM-4-720001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000490; sid: 5000490; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager"; program: %ASA-4-720007|%FWSM-4-720007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000491; sid: 5000491; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework"; program: %ASA-4-720008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000492; sid: 5000492; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to create version control block"; program: %ASA-4-720009|%FWSM-4-720009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000493; sid: 5000493; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate memory"; program: %ASA-4-720011|%FWSM-4-720011; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000494; sid: 5000494; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point"; program: %ASA-4-720013|%FWSM-4-720013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000495; sid: 5000495; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue"; program: %ASA-4-720033|%FWSM-4-720033; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000496; sid: 5000496; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit"; program: %ASA-4-720043|%FWSM-4-720043; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000497; sid: 5000497; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit"; program: %ASA-4-720044|%FWSM-4-720044; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000498; sid: 5000498; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit"; program: %ASA-4-720047|%FWSM-4-720047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000499; sid: 5000499; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit"; program: %ASA-4-720051|%FWSM-4-720051; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000500; sid: 5000500; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit"; program: %ASA-4-720052|%FWSM-4-720052; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000501; sid: 5000501; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync"; program: %ASA-4-720053|%FWSM-4-720053; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000502; sid: 5000502; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record"; program: %ASA-4-720054|%FWSM-4-720054; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000503; sid: 5000503; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode"; program: %ASA-4-720055; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000504; sid: 5000504; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP database"; program: %ASA-4-720064|%FWSM-4-720064; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000505; sid: 5000505; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule"; program: %ASA-4-720065|%FWSM-4-720065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000506; sid: 5000506; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate IKE database"; program: %ASA-4-720066|%FWSM-4-720066; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000507; sid: 5000507; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database"; program: %ASA-4-720067|%FWSM-4-720067; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000508; sid: 5000508; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to parse peer message"; program: %ASA-4-720068|%FWSM-4-720068; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000509; sid: 5000509; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database"; program: %ASA-4-720069; classtype|%FWSM-4-720069: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000510; sid: 5000510; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database"; program: %ASA-4-720070|%FWSM-4-720070; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000511; sid: 5000511; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit"; program: %ASA-4-720073|%FWSM-4-720073; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000512; sid: 5000512; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error parsing SVC connect request"; program: %ASA-4-722001|%FWSM-4-722001; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000513; sid: 5000513; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error consolidating SVC connect request."; program: %ASA-4-722002|%FWSM-4-722002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000514; sid: 5000514; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error authenticating SVC connect request"; program: %ASA-4-722003|%FWSM-4-722003; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000515; sid: 5000515; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error responding to SVC connect request"; program: %ASA-4-722004|%FWSM-4-722004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000516; sid: 5000516; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC frame length length expected"; program: %ASA-4-722016|%FWSM-4-722016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000517; sid: 5000517; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC framing 525446, reserved 0"; program: %ASA-4-722017|%FWSM-4-722017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000518; sid: 5000518; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC protocol version"; program: %ASA-4-722018|%FWSM-4-722018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000519; sid: 5000519; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed"; program: %ASA-5-402128|%FWSM-5-402128; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000520; sid: 5000520; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication"; program: %ASA-5-713248|%FWSM-5-713248; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000521; sid: 5000521; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client"; program: %ASA-5-713252; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000522; sid: 5000522; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client"; program: %ASA-5-713253; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000523; sid: 5000523; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize default timer"; program: %ASA-5-720016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000525; sid: 5000525; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data"; program: %ASA-5-720017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000526; sid: 5000526; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem"; program: %ASA-5-720018; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000527; sid: 5000527; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics"; program: %ASA-5-720019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000528; sid: 5000528; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type timer message"; program: %ASA-5-720020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000529; sid: 5000529; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code."; program: %ASA-5-720021; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000530; sid: 5000530; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle"; program: %ASA-5-720035; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000531; sid: 5000531; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer"; program: %ASA-5-720036; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000532; sid: 5000532; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data"; program: %ASA-5-720071; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000533; sid: 5000533; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available"; program: %ASA-5-720072|%FWSM-5-720072; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000534; sid: 5000534; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address"; program: %ASA-6-402129|%FWSM-6-402129; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000535; sid: 5000535; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN access DENIED to specified location url"; program: %ASA-6-716004; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000536; sid: 5000536; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN ACL Parse Error"; program: %ASA-6-716005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000537; sid: 5000537; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error"; program: %ASA-6-716009; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000538; sid: 5000538; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login"; program: %ASA-6-716040|%FWSM-6-716040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000539; sid: 5000539; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding to ACL"; program: %ASA-6-716050|%FWSM-6-716050; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000540; sid: 5000540; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding dynamic ACL for user"; program: %ASA-6-716051|%FWSM-6-716051; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000541; sid: 5000541; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy feature is disabled on interface"; program: %ASA-6-719010|%FWSM-6-719010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000542; sid: 5000542; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization failed"; program: %ASA-6-719019; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000543; sid: 5000543; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization completed successfully"; program: %ASA-6-719020; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000544; sid: 5000544; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied"; program: %ASA-6-719023; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000545; sid: 5000545; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy piggyback auth fail session"; program: %ASA-6-719024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000546; sid: 5000546; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname"; program: %ASA-6-719025; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000547; sid: 5000547; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem"; program: %ASA-6-720002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000548; sid: 5000548; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully"; program: %ASA-6-720003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000549; sid: 5000549; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover main thread started"; program: %ASA-6-720004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000550; sid: 5000550; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover timer thread started"; program: %ASA-6-720005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000551; sid: 5000551; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover sync thread started"; program: %ASA-6-720006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000552; sid: 5000552; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled"; program: %ASA-6-720010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000553; sid: 5000553; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit"; program: %ASA-6-720012; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000554; sid: 5000554; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state"; program: %ASA-6-720039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000555; sid: 5000555; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state"; program: %ASA-6-720040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000556; sid: 5000556; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled"; program: %ASA-6-720056; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000557; sid: 5000557; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled"; program: %ASA-6-720058; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000559; sid: 5000559; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled."; program: %ASA-6-720060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000561; sid: 5000561; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Global Compression Disabled"; program: %ASA-6-722025|%FWSM-6-722025; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000563; sid: 5000563; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Device failed SSL handshake"; program: %ASA-6-725006|%FWSM-6-725006; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000564; sid: 5000564; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to inject {TCP|UDP} packet"; program: %ASA-7-421004|%FWSM-7-421004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000565; sid: 5000565; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File access DENIED, filename"; program: %ASA-7-716021|%FWSM-7-716021; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000566; sid: 5000566; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse the network"; program: %ASA-7-716024|%FWSM-7-716024; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000567; sid: 5000567; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse domain domain"; program: %ASA-7-716025|%FWSM-7-716025; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000568; sid: 5000568; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse directory"; program: %ASA-7-716026|%FWSM-7-716026; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000569; sid: 5000569; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to view file"; program: %ASA-7-716027|%FWSM-7-716027; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000570; sid: 5000570; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove file"; program: %ASA-7-716028|%FWSM-7-716028; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000571; sid: 5000571; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to rename file"; program: %ASA-7-716029|%FWSM-7-716029; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000572; sid: 5000572; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to modify file"; program: %ASA-7-716030|%FWSM-7-716030; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000573; sid: 5000573; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create file"; program: %ASA-7-716031|%FWSM-7-716031; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000574; sid: 5000574; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create folder"; program: %ASA-7-716032|%FWSM-7-716032; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000575; sid: 5000575; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove folder"; program: %ASA-7-716033|%FWSM-7-716033; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000576; sid: 5000576; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File Access User failed to login into the server"; program: %ASA-7-716037|%FWSM-7-716037; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000577; sid: 5000577; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination"; program: %ASA-7-722030|%FWSM-7-722030; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000579; sid: 5000579; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination Out"; program: %ASA-7-722031|%FWSM-7-722031; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000580; sid: 5000580; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow"; program: %ASA-7-723004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000581; sid: 5000581; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix SOCKS errors"; program: %ASA-7-723006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000582; sid: 5000582; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length"; program: %ASA-7-723011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000583; sid: 5000583; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format"; program: %ASA-7-723012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000584; sid: 5000584; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL lib error"; program: %ASA-7-725014|%FWSM-7-725014 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000585; sid: 5000585; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dynamic DNS Update failed"; program: %ASA-3-331001|%PIX-3-331001|%FWSM-3-331001 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000586; sid: 5000586; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Switching to ACTIVE";program: %ASA-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000587; sid: 5000587; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]."; program: %ASA-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000588; sid: 5000588; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED"; program: %ASA-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000589; sid: 5000589; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK."; program: %ASA-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000590; sid: 5000590; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit"; program: %ASA-1-105037|%FWSM-1-105037; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000591; sid: 5000591; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test"; program: %ASA-2-218004|%PIX-2-218004|%FWSM-2-218004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000592; sid: 5000592; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable OK"; program: %ASA-1-101001|%PIX-1-101001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000595; sid: 5000595; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Bad failover cable"; program: %ASA-1-101002|%PIX-1-101002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000596; sid: 5000596; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [this unit]"; program: %ASA-1-101003|%PIX-1-101003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000597; sid: 5000597; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [other unit]"; program: %ASA-1-101004|%PIX-1-101004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000598; sid: 5000598; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Error reading failover cable status"; program: %ASA-1-101005|%PIX-1-101005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000599; sid: 5000599; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Power failure/System reload other side"; program: %ASA-1-102001|%PIX-1-102001|%FWSM-1-102001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000600; sid: 5000600; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] No response from other firewall"; program: %ASA-1-103001|%PIX-1-103001|%FWSM-1-103001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000601; sid: 5000601; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface OK"; program: %ASA-1-103002|%PIX--1-103002|%FWSM-1-103002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000602; sid: 5000602; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface failed"; program: %ASA-1-103003|%PIX-1-103003|%FWSM-1-103003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000603; sid: 5000603; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reports this firewall failed"; program: %ASA-1-103004|%PIX-1-103004|%FWSM-1-103004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000604; sid: 5000604; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reporting failure"; program: %ASA-1-103005|%PIX-1-103005|%FWSM-1-103005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000605; sid: 5000605; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to ACTIVE"; program: %ASA-1-104001|%PIX-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000606; sid: 5000606; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to STNDBY"; program: %ASA-1-104002|%PIX-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000607; sid: 5000607; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to FAILED"; program: %ASA-1-104003|%PIX-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000608; sid: 5000608; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to OK"; program: %ASA-1-104004|%PIX-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000609; sid: 5000609; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Disabling failover"; program: %ASA-1-105001|%PIX-1-105001|%FWSM-1-105001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000610; sid: 5000610; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Enabling failover"; program: %ASA-1-105002|%PIX-1-105002|%FWSM-1-105002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000611; sid: 5000611; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface"; program: %ASA-1-105005|%PIX-1-105005|%FWSM-1-105005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000612; sid: 5000612; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable communication failure"; program: %ASA-1-105011|%PIX-1-105011; p"cre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000614; sid: 5000614; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config"; program: %ASA-1-105021|%PIX-1-105021|%FWSM-1-105021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000615; sid: 5000615; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failover LAN interface is up"; program: %ASA-1-105031|%PIX-1-105031; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000616; sid: 5000616; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LAN Failover interface is down"; program: %ASA-1-105032|%PIX-1-105032; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000617; sid: 5000617; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer"; program: %ASA-1-105034|%PIX-1-105034; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000618; sid: 5000618; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN failover interface down msg from peer"; program: %ASA-1-105035|%PIX-1-105035; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000619; sid: 5000619; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] dropped a LAN Failover command message"; program: %ASA-1-105036|%PIX-1-105036; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000620; sid: 5000620; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate"; program: %ASA-1-105039|%PIX-1-105039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000621; sid: 5000621; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Mate failover version is not compatible"; program: %ASA-1-105040|%PIX-1-105040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000622; sid: 5000622; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface OK"; program: %ASA-1-105042|%PIX-1-105042; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000623; sid: 5000623; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface failed"; program: %ASA-1-105043|%PIX-1-105043; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000624; sid: 5000624; rev: 2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol reverse path check"; program: %ASA-1-106021|%PIX-1-106021|%FWSM-1-106021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000625; sid: 5000625; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol connection spoof"; program: %ASA-1-106022|%PIX-1-106022|%FWSM-1-106022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000626; sid: 5000626; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The number of ACL log deny-flows has reached limit"; program: %ASA-1-106101|%PIX-1-106101|%FWSM-1-106101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000627; sid: 5000627; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP auth failed"; program: %ASA-1-107001|%PIX-1-107001|%FWSM-1-107001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000628; sid: 5000628; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP pkt failed"; program: %ASA-1-107002|%PIX-1-107002|%FWSM-1-107002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000629; sid: 5000629; rev: 3;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound TCP connection denied"; program: %ASA-2-106001|%PIX-2-106001|%FWSM-2-106001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000631; sid: 5000631; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection denied by outbound ACL"; program: %ASA-2-106002|%PIX-2-106002|%FWSM-2-106002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000632; sid: 5000632; rev: 3;) -#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP"; program: %ASA-2-106006|%PIX-2-106006|%FWSM-2-106006; classtype: bad-unknown; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5000633; sid: 5000633; rev: 3;) -#alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query}"; program: %ASA-2-106007|%PIX-2-106007|%FWSM-2-106007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000634; sid: 5000634; rev: 4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping echo request"; program: %ASA-2-106013|%PIX-2-106013|%FWSM-2-106013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000635; sid: 5000635; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP spoof [0/5]"; program: %ASA-2-106016|%PIX-2-106016|%FWSM-2-106016; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000636; sid: 5000636; rev: 7;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP due to Land Attack [0/5]"; program: %ASA-2-106017|%PIX-2-106017|%FWSM-2-106017; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000637; sid: 5000637; rev: 5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ICMP denied by outbound ACL"; program: %ASA-2-106018|%PIX-2-106018|%FWSM-2-106018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000638; sid: 5000638; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP teardrop fragment [0/5]"; program: %ASA-2-106020|%PIX-2-106020|%FWSM-2-106020; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000639; parse_src_ip: 1; sid: 5000639; rev: 6;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad route_compress"; program: %ASA-2-215001|%PIX-2-215001|%FWSM-2-215001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000640; sid: 5000640; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test in slot"; program: %ASA-2-218001|%PIX-2-218001|%FWSM-2-218001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000641; sid: 5000641; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Dropped DNS responses with mis-matched id"; program: %ASA-2-410002|%PIX-2-410002|%FWSM-2-410002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000642; sid: 5000642; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Configuration replication failed for command"; program: %ASA-2-709007|%PIX-2-709007|%FWSM-2-709007; classtype: configuration-error ; reference: url, wiki.quadrantsec.com/bin/view/Main/5000643; sid: 5000643; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected event"; program: %ASA-2-717011|%PIX-2-717011|%FWSM-2-717011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000644; sid: 5000644; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover message block alloc failed"; program: %ASA-3-105010|%PIX-3-105010|%FWSM-3-105010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000645; sid: 5000645; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound protocol"; program: %ASA-3-106010|%PIX-3-106010|%FWSM-3-106010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000646; sid: 5000646; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound [No xlate]"; program: %ASA-3-106011|%PIX-3-106011|%FWSM-3-106011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000647; sid: 5000647; rev: 3;) -#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound ICMP"; program: %ASA-3-106014|%PIX-3-106014|%FWSM-3-106014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000648; sid: 5000648; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [too many pending auths]"; program: %ASA-3-109010|%PIX-3-109010|%FWSM-3-109010; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000649; sid: 5000649; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Can't find authorization ACL for user"; program: %ASA-3-109016|%PIX-3-109016|%FWSM-3-109016; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000650; sid: 5000650; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has parsing error"; program: %ASA-3-109019|%PIX-3-109019|%FWSM-3-109019; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000651; sid: 5000651; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has config error"; program: %ASA-3-109020|%PIX-3-109020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000652; sid: 5000652; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to install ACL, downloaded for user"; program: %ASA-3-109032|%PIX-3-109032|%FWSM-3-109032; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000653; sid: 5000653; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds"; program: %ASA-3-113020|%PIX-3-113020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000654; sid: 5000654; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP data connection failed"; program: %ASA-3-201005|%PIX-3-201005|%FWSM-3-201005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000655; sid: 5000655; rev: 4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-PIXASA] RCMD backconnection failed "; program: %ASA-3-201006|%PIX-3-201006|%FWSM-3-201006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000656; sid: 5000656; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU sw_module_name error"; program: %ASA-3-210001|%PIX-3-210001|%FWSM-3-210001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000657; sid: 5000657; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate block [bytes] failed"; program: %ASA-3-210002|%PIX-3-210002|%FWSM-3-210002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000658; sid: 5000658; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate connection failed"; program: %ASA-3-210005|%PIX-3-210005|%FWSM-3-210005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000659; sid: 5000659; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU look NAT failed"; program: %ASA-3-210006|%PIX-3-210006|%FWSM-3-210006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000660; sid: 5000660; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate xlate failed"; program: %ASA-3-210007|%PIX-3-210007|%FWSM-3-210007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000661; sid: 5000661; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU make UDP connection for outside to inside failed"; program: %ASA-3-210010|%PIX-3-210010|%FWSM-3-210010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000662; sid: 5000662; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU PAT port reserve failed"; program: %ASA-3-210020|%PIX-3-210020|%FWSM-3-210020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000663; sid: 5000663; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU create static xlate interface failed"; program: %ASA-3-210021|%PIX-3-210021|%FWSM-3-210021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000664; sid: 5000664; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Memory allocation Error"; program: %ASA-3-211001|%PIX-3-211001|%FWSM-3-211001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000665; sid: 5000665; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP channel"; program: %ASA-3-212001|%PIX-3-212001|%FWSM-3-212001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000666; sid: 5000666; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP trap channel"; program: %ASA-3-212002|%PIX-3-212002|%FWSM-3-212002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000667; sid: 5000667; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to receive an SNMP request on interface"; program: %ASA-3-212003|%PIX-3-212003|%FWSM-3-212003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000668; sid: 5000668; rev: 4;) -alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to send an SNMP response"; program: %ASA-3-212004|%PIX-3-212004|%FWSM-3-212004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000669; sid: 5000669; rev: 4;) -alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropping SNMP request"; program: %ASA-3-212006|%PIX-3-212006|%FWSM-3-212006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000670; sid: 5000670; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPTP tunnel hashtable insert failed"; program: %ASA-3-213002|%PIX-3-213002|%FWSM-3-213002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000671; sid: 5000671; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPP virtual interface client ip allocation failed"; program: %ASA-3-213004|%PIX-3-213004|%FWSM-3-213004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000672; sid: 5000672; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H.323 library_name ASN Library failed to initialize"; program: %ASA-3-302019|%PIX-3-302019|%FWSM-3-302019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000673; sid: 5000673; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ACL = deny no sa created"; program: %ASA-3-302302|%PIX-3-302302|%FWSM-3-302302; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000674; sid: 5000674; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize 4GE SSM I/O card"; program: %ASA*-1-114001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000416; sid: 5000416; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card"; program: %ASA*-1-114002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000417; sid: 5000417; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card"; program: %ASA*-1-114003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000418; sid: 5000418; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function"; program: %ASA*-1-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000419; sid: 5000419; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED"; program: %ASA*-2-113022|%FWSM-2-113022; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000420; sid: 5000420; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in - function message"; program: %ASA*-2-216001|%FWSM-2-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000421; sid: 5000421; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance"; program: %ASA*-2-716500; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000422; sid: 5000422; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance"; program: %ASA*-2-716501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000423; sid: 5000423; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena"; program: %ASA*-2-716502|%FWSM-2-716502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000424; sid: 5000424; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool"; program: %ASA*-2-716503; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000425; sid: 5000425; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool"; program: %ASA*-2-716504; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000426; sid: 5000426; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state"; program: %ASA*-2-716505; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000427; sid: 5000427; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating"; program: %ASA*-2-716507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000428; sid: 5000428; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating"; program: %ASA*-2-716508; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000429; sid: 5000429; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating"; program: %ASA*-2-716509; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000430; sid: 5000430; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating"; program: %ASA*-2-716510; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000431; sid: 5000431; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else"; program: %ASA*-2-716512; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000432; sid: 5000432; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel"; program: %ASA*-2-716513; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000433; sid: 5000433; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance"; program: %ASA*-2-716515; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000434; sid: 5000434; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating"; program: %ASA*-2-716516|%FWSM-2-716516; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000435; sid: 5000435; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena"; program: %ASA*-2-716517|%FWSM-2-716517; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000436; sid: 5000436; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena"; program: %ASA*-2-716518|%FWSM-2-716518; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000437; sid: 5000437; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating"; program: %ASA*-2-716519|%FWSM-2-716519; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000438; sid: 5000438; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no block list"; program: %ASA*-2-716520|%FWSM-2-716520; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000439; sid: 5000439; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool"; program: %ASA*-2-716521|%FWSM-2-716521; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000440; sid: 5000440; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block"; program: %ASA*-2-716522|%FWSM-2-716522; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000441; sid: 5000441; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL"; program: %ASA*-2-716526|%FWSM-2-716526; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000442; sid: 5000442; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL"; program: %ASA*-2-716527|%FWSM-2-716527; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000443; sid: 5000443; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition"; program: %ASA*-2-716528|%FWSM-2-716528; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000444; sid: 5000444; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card"; program: %ASA*-3-114006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000445; sid: 5000445; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card"; program: %ASA*-3-114007; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000446; sid: 5000446; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card"; program: %ASA*-3-114008; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000447; sid: 5000447; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card"; program: %ASA*-3-114009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000448; sid: 5000448; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card"; program: %ASA*-3-114010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000449; sid: 5000449; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card"; program: %ASA*-3-114011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000450; sid: 5000450; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card"; program: %ASA*-3-114012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000451; sid: 5000451; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card"; program: %ASA*-3-114013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000452; sid: 5000452; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card"; program: %ASA*-3-114014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000453; sid: 5000453; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card"; program: %ASA*-3-114015; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000454; sid: 5000454; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card"; program: %ASA*-3-114016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000455; sid: 5000455; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card"; program: %ASA*-3-114017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000456; sid: 5000456; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card"; program: %ASA*-3-114018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000457; sid: 5000457; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card"; program: %ASA*-3-114019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000458; sid: 5000458; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function message"; program: %ASA*-3-216001|%FWSM-3-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000459; sid: 5000459; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] I2C_API_name error"; program: %ASA*-3-219002|%FWSM-3-219002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000460; sid: 5000460; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPN Handle error protocol"; program: %ASA*-3-316002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000461; sid: 5000461; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot experienced a control channel communications failure"; program: %ASA*-3-323001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000462; sid: 5000462; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use"; program: %ASA*-3-323004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000463; sid: 5000463; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot can not be powered on completely"; program: %ASA*-3-323005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000464; sid: 5000464; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN"; program: %ASA*-3-323006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000465; sid: 5000465; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1]"; program: %ASA*-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000466; sid: 5000466; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2]"; program: %ASA*-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000467; sid: 5000467; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed"; program: %ASA*-3-421001|%FWSM-3-421001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000468; sid: 5000468; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed"; program: %ASA*-3-421007|%FWSM-3-421007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000469; sid: 5000469; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication to SSO server failed"; program: %ASA*-3-716056|%FWSM-3-716056; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000470; sid: 5000470; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error"; program: %ASA*-3-719002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000471; sid: 5000471; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [1]"; program: %ASA*-3-722007|%FWSM-3-722007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000472; sid: 5000472; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [2]"; program: %ASA*-3-722008|%FWSM-3-722008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000473; sid: 5000473; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [3]"; program: %ASA*-3-722009|%FWSM-3-722009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000474; sid: 5000474; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to shut down. Module Error"; program: %ASA*-4-413001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000475; sid: 5000475; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to reload. Module Error"; program: %ASA*-4-413002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000476; sid: 5000476; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Trying again"; program: %ASA*-4-413004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000477; sid: 5000477; rev: 2;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS requested to drop ICMP packets"; program: %ASA*-4-420002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000478; sid: 5000478; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt"; program: %ASA*-4-423001|%FWSM-4-423001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000479; sid: 5000479; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt"; program: %ASA*-4-423002|%FWSM-4-423002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000480; sid: 5000480; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt"; program: %ASA*-4-423003|%FWSM-4-423003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000481; sid: 5000481; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt"; program: %ASA*-4-423004|%FWSM-4-423004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000482; sid: 5000482; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt"; program: %ASA*-4-423005|%FWSM-4-423005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000483; sid: 5000483; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state"; program: %ASA*-4-424001|%FWSM-4-424001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000484; sid: 5000484; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection to the backup interface is denied"; program: %ASA*-4-424002|%FWSM-4-424002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000485; sid: 5000485; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic, licensed host limit exceeded."; program: %ASA*-4-450001|%FWSM-4-450001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000486; sid: 5000486; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Received DH key with bad length"; program: %ASA*-4-713240|%FWSM-4-713240; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000487; sid: 5000487; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI"; program: %ASA*-4-713247; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000488; sid: 5000488; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Received authentication failure message"; program: %ASA*-4-713251|%FWSM-4-713251; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000489; sid: 5000489; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager"; program: %ASA*-4-720001|%FWSM-4-720001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000490; sid: 5000490; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager"; program: %ASA*-4-720007|%FWSM-4-720007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000491; sid: 5000491; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework"; program: %ASA*-4-720008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000492; sid: 5000492; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to create version control block"; program: %ASA*-4-720009|%FWSM-4-720009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000493; sid: 5000493; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate memory"; program: %ASA*-4-720011|%FWSM-4-720011; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000494; sid: 5000494; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point"; program: %ASA*-4-720013|%FWSM-4-720013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000495; sid: 5000495; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue"; program: %ASA*-4-720033|%FWSM-4-720033; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000496; sid: 5000496; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit"; program: %ASA*-4-720043|%FWSM-4-720043; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000497; sid: 5000497; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit"; program: %ASA*-4-720044|%FWSM-4-720044; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000498; sid: 5000498; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit"; program: %ASA*-4-720047|%FWSM-4-720047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000499; sid: 5000499; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit"; program: %ASA*-4-720051|%FWSM-4-720051; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000500; sid: 5000500; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit"; program: %ASA*-4-720052|%FWSM-4-720052; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000501; sid: 5000501; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync"; program: %ASA*-4-720053|%FWSM-4-720053; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000502; sid: 5000502; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record"; program: %ASA*-4-720054|%FWSM-4-720054; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000503; sid: 5000503; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode"; program: %ASA*-4-720055; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000504; sid: 5000504; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP database"; program: %ASA*-4-720064|%FWSM-4-720064; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000505; sid: 5000505; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule"; program: %ASA*-4-720065|%FWSM-4-720065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000506; sid: 5000506; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate IKE database"; program: %ASA*-4-720066|%FWSM-4-720066; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000507; sid: 5000507; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database"; program: %ASA*-4-720067|%FWSM-4-720067; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000508; sid: 5000508; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to parse peer message"; program: %ASA*-4-720068|%FWSM-4-720068; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000509; sid: 5000509; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database"; program: %ASA*-4-720069; classtype|%FWSM-4-720069: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000510; sid: 5000510; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database"; program: %ASA*-4-720070|%FWSM-4-720070; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000511; sid: 5000511; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit"; program: %ASA*-4-720073|%FWSM-4-720073; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000512; sid: 5000512; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error parsing SVC connect request"; program: %ASA*-4-722001|%FWSM-4-722001; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000513; sid: 5000513; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error consolidating SVC connect request."; program: %ASA*-4-722002|%FWSM-4-722002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000514; sid: 5000514; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error authenticating SVC connect request"; program: %ASA*-4-722003|%FWSM-4-722003; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000515; sid: 5000515; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error responding to SVC connect request"; program: %ASA*-4-722004|%FWSM-4-722004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000516; sid: 5000516; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC frame length length expected"; program: %ASA*-4-722016|%FWSM-4-722016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000517; sid: 5000517; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC framing 525446, reserved 0"; program: %ASA*-4-722017|%FWSM-4-722017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000518; sid: 5000518; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC protocol version"; program: %ASA*-4-722018|%FWSM-4-722018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000519; sid: 5000519; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed"; program: %ASA*-5-402128|%FWSM-5-402128; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000520; sid: 5000520; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication"; program: %ASA*-5-713248|%FWSM-5-713248; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000521; sid: 5000521; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client"; program: %ASA*-5-713252; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000522; sid: 5000522; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client"; program: %ASA*-5-713253; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000523; sid: 5000523; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize default timer"; program: %ASA*-5-720016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000525; sid: 5000525; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data"; program: %ASA*-5-720017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000526; sid: 5000526; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem"; program: %ASA*-5-720018; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000527; sid: 5000527; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics"; program: %ASA*-5-720019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000528; sid: 5000528; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type timer message"; program: %ASA*-5-720020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000529; sid: 5000529; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code."; program: %ASA*-5-720021; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000530; sid: 5000530; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle"; program: %ASA*-5-720035; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000531; sid: 5000531; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer"; program: %ASA*-5-720036; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000532; sid: 5000532; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data"; program: %ASA*-5-720071; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000533; sid: 5000533; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available"; program: %ASA*-5-720072|%FWSM-5-720072; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000534; sid: 5000534; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address"; program: %ASA*-6-402129|%FWSM-6-402129; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000535; sid: 5000535; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN access DENIED to specified location url"; program: %ASA*-6-716004; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000536; sid: 5000536; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN ACL Parse Error"; program: %ASA*-6-716005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000537; sid: 5000537; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error"; program: %ASA*-6-716009; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000538; sid: 5000538; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login"; program: %ASA*-6-716040|%FWSM-6-716040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000539; sid: 5000539; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding to ACL"; program: %ASA*-6-716050|%FWSM-6-716050; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000540; sid: 5000540; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding dynamic ACL for user"; program: %ASA*-6-716051|%FWSM-6-716051; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000541; sid: 5000541; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy feature is disabled on interface"; program: %ASA*-6-719010|%FWSM-6-719010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000542; sid: 5000542; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization failed"; program: %ASA*-6-719019; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000543; sid: 5000543; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization completed successfully"; program: %ASA*-6-719020; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000544; sid: 5000544; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied"; program: %ASA*-6-719023; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000545; sid: 5000545; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy piggyback auth fail session"; program: %ASA*-6-719024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000546; sid: 5000546; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname"; program: %ASA*-6-719025; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000547; sid: 5000547; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem"; program: %ASA*-6-720002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000548; sid: 5000548; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully"; program: %ASA*-6-720003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000549; sid: 5000549; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover main thread started"; program: %ASA*-6-720004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000550; sid: 5000550; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover timer thread started"; program: %ASA*-6-720005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000551; sid: 5000551; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover sync thread started"; program: %ASA*-6-720006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000552; sid: 5000552; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled"; program: %ASA*-6-720010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000553; sid: 5000553; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit"; program: %ASA*-6-720012; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000554; sid: 5000554; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state"; program: %ASA*-6-720039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000555; sid: 5000555; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state"; program: %ASA*-6-720040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000556; sid: 5000556; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled"; program: %ASA*-6-720056; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000557; sid: 5000557; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled"; program: %ASA*-6-720058; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000559; sid: 5000559; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled."; program: %ASA*-6-720060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000561; sid: 5000561; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Global Compression Disabled"; program: %ASA*-6-722025|%FWSM-6-722025; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000563; sid: 5000563; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Device failed SSL handshake"; program: %ASA*-6-725006|%FWSM-6-725006; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000564; sid: 5000564; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to inject {TCP|UDP} packet"; program: %ASA*-7-421004|%FWSM-7-421004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000565; sid: 5000565; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File access DENIED, filename"; program: %ASA*-7-716021|%FWSM-7-716021; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000566; sid: 5000566; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse the network"; program: %ASA*-7-716024|%FWSM-7-716024; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000567; sid: 5000567; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse domain domain"; program: %ASA*-7-716025|%FWSM-7-716025; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000568; sid: 5000568; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse directory"; program: %ASA*-7-716026|%FWSM-7-716026; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000569; sid: 5000569; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to view file"; program: %ASA*-7-716027|%FWSM-7-716027; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000570; sid: 5000570; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove file"; program: %ASA*-7-716028|%FWSM-7-716028; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000571; sid: 5000571; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to rename file"; program: %ASA*-7-716029|%FWSM-7-716029; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000572; sid: 5000572; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to modify file"; program: %ASA*-7-716030|%FWSM-7-716030; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000573; sid: 5000573; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create file"; program: %ASA*-7-716031|%FWSM-7-716031; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000574; sid: 5000574; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create folder"; program: %ASA*-7-716032|%FWSM-7-716032; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000575; sid: 5000575; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove folder"; program: %ASA*-7-716033|%FWSM-7-716033; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000576; sid: 5000576; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File Access User failed to login into the server"; program: %ASA*-7-716037|%FWSM-7-716037; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000577; sid: 5000577; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination"; program: %ASA*-7-722030|%FWSM-7-722030; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000579; sid: 5000579; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination Out"; program: %ASA*-7-722031|%FWSM-7-722031; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000580; sid: 5000580; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow"; program: %ASA*-7-723004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000581; sid: 5000581; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix SOCKS errors"; program: %ASA*-7-723006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000582; sid: 5000582; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length"; program: %ASA*-7-723011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000583; sid: 5000583; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format"; program: %ASA*-7-723012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000584; sid: 5000584; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL lib error"; program: %ASA*-7-725014|%FWSM-7-725014 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000585; sid: 5000585; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dynamic DNS Update failed"; program: %ASA*-3-331001|%PIX-3-331001|%FWSM-3-331001 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000586; sid: 5000586; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Switching to ACTIVE";program: %ASA*-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000587; sid: 5000587; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]."; program: %ASA*-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000588; sid: 5000588; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED"; program: %ASA*-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000589; sid: 5000589; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK."; program: %ASA*-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000590; sid: 5000590; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit"; program: %ASA*-1-105037|%FWSM-1-105037; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000591; sid: 5000591; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test"; program: %ASA*-2-218004|%PIX-2-218004|%FWSM-2-218004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000592; sid: 5000592; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable OK"; program: %ASA*-1-101001|%PIX-1-101001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000595; sid: 5000595; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Bad failover cable"; program: %ASA*-1-101002|%PIX-1-101002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000596; sid: 5000596; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [this unit]"; program: %ASA*-1-101003|%PIX-1-101003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000597; sid: 5000597; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [other unit]"; program: %ASA*-1-101004|%PIX-1-101004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000598; sid: 5000598; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Error reading failover cable status"; program: %ASA*-1-101005|%PIX-1-101005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000599; sid: 5000599; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Power failure/System reload other side"; program: %ASA*-1-102001|%PIX-1-102001|%FWSM-1-102001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000600; sid: 5000600; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] No response from other firewall"; program: %ASA*-1-103001|%PIX-1-103001|%FWSM-1-103001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000601; sid: 5000601; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface OK"; program: %ASA*-1-103002|%PIX--1-103002|%FWSM-1-103002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000602; sid: 5000602; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface failed"; program: %ASA*-1-103003|%PIX-1-103003|%FWSM-1-103003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000603; sid: 5000603; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reports this firewall failed"; program: %ASA*-1-103004|%PIX-1-103004|%FWSM-1-103004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000604; sid: 5000604; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reporting failure"; program: %ASA*-1-103005|%PIX-1-103005|%FWSM-1-103005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000605; sid: 5000605; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to ACTIVE"; program: %ASA*-1-104001|%PIX-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000606; sid: 5000606; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to STNDBY"; program: %ASA*-1-104002|%PIX-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000607; sid: 5000607; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to FAILED"; program: %ASA*-1-104003|%PIX-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000608; sid: 5000608; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to OK"; program: %ASA*-1-104004|%PIX-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000609; sid: 5000609; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Disabling failover"; program: %ASA*-1-105001|%PIX-1-105001|%FWSM-1-105001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000610; sid: 5000610; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Enabling failover"; program: %ASA*-1-105002|%PIX-1-105002|%FWSM-1-105002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000611; sid: 5000611; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface"; program: %ASA*-1-105005|%PIX-1-105005|%FWSM-1-105005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000612; sid: 5000612; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable communication failure"; program: %ASA*-1-105011|%PIX-1-105011; pcre: "/%PIX-|%ASA*-/"; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000614; sid: 5000614; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config"; program: %ASA*-1-105021|%PIX-1-105021|%FWSM-1-105021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000615; sid: 5000615; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failover LAN interface is up"; program: %ASA*-1-105031|%PIX-1-105031; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000616; sid: 5000616; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LAN Failover interface is down"; program: %ASA*-1-105032|%PIX-1-105032; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000617; sid: 5000617; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer"; program: %ASA*-1-105034|%PIX-1-105034; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000618; sid: 5000618; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN failover interface down msg from peer"; program: %ASA*-1-105035|%PIX-1-105035; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000619; sid: 5000619; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] dropped a LAN Failover command message"; program: %ASA*-1-105036|%PIX-1-105036; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000620; sid: 5000620; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate"; program: %ASA*-1-105039|%PIX-1-105039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000621; sid: 5000621; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Mate failover version is not compatible"; program: %ASA*-1-105040|%PIX-1-105040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000622; sid: 5000622; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface OK"; program: %ASA*-1-105042|%PIX-1-105042; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000623; sid: 5000623; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface failed"; program: %ASA*-1-105043|%PIX-1-105043; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000624; sid: 5000624; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol reverse path check"; program: %ASA*-1-106021|%PIX-1-106021|%FWSM-1-106021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000625; sid: 5000625; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol connection spoof"; program: %ASA*-1-106022|%PIX-1-106022|%FWSM-1-106022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000626; sid: 5000626; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The number of ACL log deny-flows has reached limit"; program: %ASA*-1-106101|%PIX-1-106101|%FWSM-1-106101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000627; sid: 5000627; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP auth failed"; program: %ASA*-1-107001|%PIX-1-107001|%FWSM-1-107001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000628; sid: 5000628; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP pkt failed"; program: %ASA*-1-107002|%PIX-1-107002|%FWSM-1-107002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000629; sid: 5000629; rev: 3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound TCP connection denied"; program: %ASA*-2-106001|%PIX-2-106001|%FWSM-2-106001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000631; sid: 5000631; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection denied by outbound ACL"; program: %ASA*-2-106002|%PIX-2-106002|%FWSM-2-106002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000632; sid: 5000632; rev: 3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP"; program: %ASA*-2-106006|%PIX-2-106006|%FWSM-2-106006; classtype: bad-unknown; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5000633; sid: 5000633; rev: 4;) +#alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query}"; program: %ASA*-2-106007|%PIX-2-106007|%FWSM-2-106007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000634; sid: 5000634; rev: 4;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping echo request"; program: %ASA*-2-106013|%PIX-2-106013|%FWSM-2-106013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000635; sid: 5000635; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP spoof [0/5]"; program: %ASA*-2-106016|%PIX-2-106016|%FWSM-2-106016; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000636; sid: 5000636; rev: 7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP due to Land Attack [0/5]"; program: %ASA*-2-106017|%PIX-2-106017|%FWSM-2-106017; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000637; sid: 5000637; rev: 5;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ICMP denied by outbound ACL"; program: %ASA*-2-106018|%PIX-2-106018|%FWSM-2-106018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000638; sid: 5000638; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP teardrop fragment [0/5]"; program: %ASA*-2-106020|%PIX-2-106020|%FWSM-2-106020; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000639; parse_src_ip: 1; sid: 5000639; rev: 6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad route_compress"; program: %ASA*-2-215001|%PIX-2-215001|%FWSM-2-215001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000640; sid: 5000640; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test in slot"; program: %ASA*-2-218001|%PIX-2-218001|%FWSM-2-218001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000641; sid: 5000641; rev: 3;) +alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Dropped DNS responses with mis-matched id"; program: %ASA*-2-410002|%PIX-2-410002|%FWSM-2-410002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000642; sid: 5000642; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Configuration replication failed for command"; program: %ASA*-2-709007|%PIX-2-709007|%FWSM-2-709007; classtype: configuration-error ; reference: url, wiki.quadrantsec.com/bin/view/Main/5000643; sid: 5000643; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected event"; program: %ASA*-2-717011|%PIX-2-717011|%FWSM-2-717011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000644; sid: 5000644; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover message block alloc failed"; program: %ASA*-3-105010|%PIX-3-105010|%FWSM-3-105010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000645; sid: 5000645; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound protocol"; program: %ASA*-3-106010|%PIX-3-106010|%FWSM-3-106010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000646; sid: 5000646; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound [No xlate]"; program: %ASA*-3-106011|%PIX-3-106011|%FWSM-3-106011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000647; sid: 5000647; rev: 3;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound ICMP"; program: %ASA*-3-106014|%PIX-3-106014|%FWSM-3-106014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000648; sid: 5000648; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [too many pending auths]"; program: %ASA*-3-109010|%PIX-3-109010|%FWSM-3-109010; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000649; sid: 5000649; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Can't find authorization ACL for user"; program: %ASA*-3-109016|%PIX-3-109016|%FWSM-3-109016; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000650; sid: 5000650; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has parsing error"; program: %ASA*-3-109019|%PIX-3-109019|%FWSM-3-109019; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000651; sid: 5000651; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has config error"; program: %ASA*-3-109020|%PIX-3-109020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000652; sid: 5000652; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to install ACL, downloaded for user"; program: %ASA*-3-109032|%PIX-3-109032|%FWSM-3-109032; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000653; sid: 5000653; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds"; program: %ASA*-3-113020|%PIX-3-113020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000654; sid: 5000654; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP data connection failed"; program: %ASA*-3-201005|%PIX-3-201005|%FWSM-3-201005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000655; sid: 5000655; rev: 4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-PIXASA] RCMD backconnection failed "; program: %ASA*-3-201006|%PIX-3-201006|%FWSM-3-201006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000656; sid: 5000656; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU sw_module_name error"; program: %ASA*-3-210001|%PIX-3-210001|%FWSM-3-210001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000657; sid: 5000657; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate block [bytes] failed"; program: %ASA*-3-210002|%PIX-3-210002|%FWSM-3-210002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000658; sid: 5000658; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate connection failed"; program: %ASA*-3-210005|%PIX-3-210005|%FWSM-3-210005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000659; sid: 5000659; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU look NAT failed"; program: %ASA*-3-210006|%PIX-3-210006|%FWSM-3-210006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000660; sid: 5000660; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate xlate failed"; program: %ASA*-3-210007|%PIX-3-210007|%FWSM-3-210007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000661; sid: 5000661; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU make UDP connection for outside to inside failed"; program: %ASA*-3-210010|%PIX-3-210010|%FWSM-3-210010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000662; sid: 5000662; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU PAT port reserve failed"; program: %ASA*-3-210020|%PIX-3-210020|%FWSM-3-210020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000663; sid: 5000663; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU create static xlate interface failed"; program: %ASA*-3-210021|%PIX-3-210021|%FWSM-3-210021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000664; sid: 5000664; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Memory allocation Error"; program: %ASA*-3-211001|%PIX-3-211001|%FWSM-3-211001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000665; sid: 5000665; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP channel"; program: %ASA*-3-212001|%PIX-3-212001|%FWSM-3-212001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000666; sid: 5000666; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP trap channel"; program: %ASA*-3-212002|%PIX-3-212002|%FWSM-3-212002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000667; sid: 5000667; rev: 3;) +alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to receive an SNMP request on interface"; program: %ASA*-3-212003|%PIX-3-212003|%FWSM-3-212003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000668; sid: 5000668; rev: 4;) +alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to send an SNMP response"; program: %ASA*-3-212004|%PIX-3-212004|%FWSM-3-212004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000669; sid: 5000669; rev: 4;) +alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropping SNMP request"; program: %ASA*-3-212006|%PIX-3-212006|%FWSM-3-212006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000670; sid: 5000670; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPTP tunnel hashtable insert failed"; program: %ASA*-3-213002|%PIX-3-213002|%FWSM-3-213002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000671; sid: 5000671; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPP virtual interface client ip allocation failed"; program: %ASA*-3-213004|%PIX-3-213004|%FWSM-3-213004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000672; sid: 5000672; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H.323 library_name ASN Library failed to initialize"; program: %ASA*-3-302019|%PIX-3-302019|%FWSM-3-302019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000673; sid: 5000673; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ACL = deny no sa created"; program: %ASA*-3-302302|%PIX-3-302302|%FWSM-3-302302; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000674; sid: 5000674; rev: 4;) # Disabled on 04/12/2014 - Considered to noisy & of little value (Champ Clark III) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed"; program: %ASA-3-305006|%PIX-3-305006|%FWSM-3-305006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000675; sid: 5000675; rev: 3;) -#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA-3-313001|%PIX-3-313001|%FWSM-3-313001; classtype: bad-unknown; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5000676; sid: 5000676; rev: 4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMPv6"; program: %ASA-3-313008|%PIX-3-313008|%FWSM-3-313008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000677; sid: 5000677; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed"; program: %ASA-3-315004|%PIX-3-315004|%FWSM-3-315004; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000678; sid: 5000678; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied new tunnel limit exceeded"; program: %ASA-3-316001|%PIX-3-316001|%FWSM-3-316001; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000679; sid: 5000679; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP routing table creation failure"; program: %ASA-3-317003|%PIX-3-317003|%FWSM-3-317003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000681; sid: 5000681; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA-3-318001|%PIX-3-318001|%FWSM-3-318001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000682; sid: 5000682; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Arp update for IP address address to NPn failed"; program: %ASA-3-319003|%PIX-3-319003|%FWSM-3-319003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000683; sid: 5000683; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Route update for IP address failed"; program: %ASA-3-319004|%PIX-3-319004|%FWSM-3-319004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000684; sid: 5000684; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny MAC address possible spoof attempt"; program: %ASA-3-322001|%PIX-3-322001|%FWSM-3-322001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000685; sid: 5000685; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [1]"; program: %ASA-3-322002|%PIX-3-322002|%FWSM-3-322002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000686; sid: 5000686; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [2]"; program: %ASA-3-322003|%PIX-3-322003|%FWSM-3-322003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000687; sid: 5000687; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] GSN tunnel limit exceeded"; program: %ASA-3-324006|%PIX-3-324006|%FWSM-3-324006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000690; sid: 5000690; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Radius Accounting Request has a bad header length"; program: %ASA-3-324301|%PIX-3-324301|%FWSM-3-324301; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000691; sid: 5000691; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected error in the timer library"; program: %ASA-3-326001|%PIX-3-326001|%FWSM-3-326001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000692; sid: 5000692; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326002|%PIX-3-326002|%FWSM-3-326002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000693; sid: 5000693; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA-3-326004|%PIX-3-326004|%FWSM-3-326004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000694; sid: 5000694; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Mrib notification failed"; program: %ASA-3-326005|%PIX-3-326005|%FWSM-3-326005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000695; sid: 5000695; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-creation failed"; program: %ASA-3-326006|%PIX-3-326006|%FWSM-3-326006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000696; sid: 5000696; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-update failed"; program: %ASA-3-326007|%PIX-3-326007|%FWSM-3-326007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000697; sid: 5000697; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB registration failed"; program: %ASA-3-326008|%PIX-3-326008|%FWSM-3-326008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000698; sid: 5000698; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB connection-open failed"; program: %ASA-3-326009|%PIX-3-326009|%FWSM-3-326009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000699; sid: 5000699; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB unbind failed"; program: %ASA-3-326010|%PIX-3-326010|%FWSM-3-326010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000700; sid: 5000700; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB table deletion failed"; program: %ASA-3-326011|%PIX-3-326011|%FWSM-3-326011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000701; sid: 5000701; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization of string functionality failed"; program: %ASA-3-326012|%PIX-3-326012|%FWSM-3-326012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000702; sid: 5000702; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA-3-326013|%PIX-3-326013|%FWSM-3-326013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000703; sid: 5000703; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization failed"; program: %ASA-3-326014|%PIX-3-326014|%FWSM-3-326014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000704; sid: 5000704; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Communication error"; program: %ASA-3-326015|%PIX-3-326015|%FWSM-3-326015; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000705; sid: 5000705; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set un-numbered interface"; program: %ASA-3-326016|%PIX-3-326016|%FWSM-3-326016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000706; sid: 5000706; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Interface Manager error"; program: %ASA-3-326017|%PIX-3-326017|%FWSM-3-326017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000707; sid: 5000707; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] List error"; program: %ASA-3-326020|%PIX-3-326020|%FWSM-3-326020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000708; sid: 5000708; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326021|%PIX-3-326021|%FWSM-3-326021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000709; sid: 5000709; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326022|%PIX-3-326022|%FWSM-3-326022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000710; sid: 5000710; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA-3-326024|%PIX-3-326024|%FWSM-3-326024; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000711; sid: 5000711; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Server unexpected error"; program: %ASA-3-326026|%PIX-3-326026|%FWSM-3-326026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000712; sid: 5000712; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Corrupted update"; program: %ASA-3-326027|%PIX-3-326027|%FWSM-3-326027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000713; sid: 5000713; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asynchronous error"; program: %ASA-3-326028|%PIX-3-326028|%FWSM-3-326028; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000714; sid: 5000714; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work"; program: %ASA-3-327002|%PIX-3-327002|%FWSM-3-327002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000715; sid: 5000715; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize"; program: %ASA-3-327003|%PIX-3-327003|%FWSM-3-327003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000716; sid: 5000716; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped"; program: %ASA-3-403501|%PIX-3-403501|%FWSM-3-403501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000717; sid: 5000717; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet"; program: %ASA-3-403502|%PIX-3-403502|%FWSM-3-403502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000718; sid: 5000718; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group"; program: %ASA-3-403507|%PIX-3-403507|%FWSM-3-403507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000719; sid: 5000719; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] Failed to save logging buffer using filename to FTP server"; program: %ASA-3-414001|%PIX-3-414001|%FWSM-3-414001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000720; sid: 5000720; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename"; program: %ASA-3-414002|%PIX-3-414002|%FWSM-3-414002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000721; sid: 5000721; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Packet denied"; program: %ASA-3-610001|%PIX-3-610001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000722; sid: 5000722; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Authentication failed"; program: %ASA-3-610002|%PIX-3-610002|%FWSM-3-610002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000723; sid: 5000723; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Backup Server List Error"; program: %ASA-3-611313|%PIX-3-611313; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000724; sid: 5000724; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error processing payload"; program: %ASA-3-713048|%PIX-3-713048|%FWSM-3-713048; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000725; sid: 5000725; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed"; program: %ASA-3-713059|%PIX-3-713059; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000726; sid: 5000726; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User not member of group, check failed"; program: %ASA-3-713060|%PIX-3-713060; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000727; sid: 5000727; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to retrieve identity certificate"; program: %ASA-3-713082|%PIX-3-713082; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000728; sid: 5000728; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group"; program: %ASA-3-713088|%PIX-3-713088; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000729; sid: 5000729; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Request attempt failed!"; program: %ASA-3-713107|%PIX-3-713107; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000730; sid: 5000730; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to process CONNECTED notify!"; program: %ASA-3-713112|%PIX-3-713112; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000731; sid: 5000731; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel"; program: %ASA-3-713141|%PIX-3-713141; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000732; sid: 5000732; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel"; program: %ASA-3-713142|%PIX--3-713142; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000733; sid: 5000733; rev: 2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access"; program: %ASA-3-713159|%PIX-3-713159; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000734; sid: 5000734; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server"; program: %ASA-3-713161|%PIX-3-713161; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000735; sid: 5000735; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been rejected by the Firewall Server"; program: %ASA-3-713162|%PIX-3-713162; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000736; sid: 5000736; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been terminated by the Firewall Server"; program: %ASA-3-713163|%PIX-3-713163; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000737; sid: 5000737; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password"; program: %ASA-3-713166|%PIX-3-713166; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000738; sid: 5000738; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5]"; program: %ASA-3-713167|%PIX-3-713167; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000739; sid: 5000739; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error Username too long - connection aborted"; program: %ASA-3-713185|%PIX-3-713185; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000740; sid: 5000740; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User Authorization failed"; program: %ASA-3-713198|%PIX-3-713198|%FWSM-3-713198; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000741; sid: 5000741; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE Receiver Error reading from socket"; program: %ASA-3-713203|%PIX-3-713203; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000742; sid: 5000742; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection failed with peer, no trust-point defined"; program: %ASA-3-713226|%PIX-3-713226; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000743; sid: 5000743; rev: 2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked"; program: %ASA-3-713230|%PIX-3-713230|%FWSM-3-713230; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000744; sid: 5000744; rev: 4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked"; program: %ASA-3-713231|%PIX-3-713231|%FWSM-3-713231; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000745; sid: 5000745; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Querying keypair failed"; program: %ASA-3-717001|%PIX-3-717001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000746; sid: 5000746; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate enrollment failed for trustpoint"; program: %ASA-3-717002|%PIX-3-717002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000747; sid: 5000747; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate validation failed"; program: %ASA-3-717009|%PIX-3-717009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000748; sid: 5000748; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRL polling failed for trustpoint"; program: %ASA-3-717010|%PIX-3-717010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000749; sid: 5000749; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint"; program: %ASA-3-717012|%PIX-3-717012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000750; sid: 5000750; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to query CA certificate for trustpoint"; program: %ASA-3-717017|%PIX-3-717017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000751; sid: 5000751; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to insert CRL for trustpoint"; program: %ASA-3-717019|%PIX-3-717019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000752; sid: 5000752; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL failed to set device certificate for trustpoint"; program: %ASA-3-717023|%PIX-3-717023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000753; sid: 5000753; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate chain failed validation"; program: %ASA-3-717027|%PIX-3-717027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000754; sid: 5000754; rev: 2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol"; program: %ASA-4-106023|%PIX-4-106023|%FWSM-4-106023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000755; sid: 5000755; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan"; program: %ASA-4-106027|%PIX-4-106027|%FWSM-4-106027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000756; sid: 5000756; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username."; program: %ASA-4-109031|%PIX-4-109031|%FWSM-4-109031; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000757; sid: 5000757; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for admin user"; program: %ASA-4-109033|%PIX-4-109033|%FWSM-4-109033; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000758; sid: 5000758; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for network user"; program: %ASA-4-109034|%PIX-4-109034|%FWSM-4-109034; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000759; sid: 5000759; rev: 3;) -#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA-4-313004|%PIX-4-313004|%FWSM-4-313004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000760; sid: 5000760; rev: 3;) -#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No matching connection for ICMP error"; program: %ASA-4-313005|%PIX-4-313005|%FWSM-4-313005; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000761; sid: 5000761; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC Downloaded ACL parse failure"; program: %ASA-4-335005|%PIX-4-335005|%FWSM-4-335005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000762; sid: 5000762; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Shun add failed unable to allocate resources"; program: %ASA-4-401005|%PIX-4-401005|%FWSM-4-401005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000763; sid: 5000763; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5]"; program: %ASA-4-402119|%PIX-4-402119|%FWSM-4-402119; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000764; sid: 5000764; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed authentication [0/5]"; program: %ASA-4-402120|%PIX-4-402120; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5000765; sid: 5000765; rev: 6;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command"; program: %ASA-4-402123|%PIX-4-402123|%FWSM-4-402123; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000766; sid: 5000766; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE failed to assign PPP IP address"; program: %ASA-4-403506|%PIX-4-403506|%FWSM-4-403506; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000767; sid: 5000767; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string"; program: %ASA-4-404101|%PIX-4-404101|%FWSM-4-404101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000768; sid: 5000768; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H225 message contains bad protocol discriminator hex"; program: %ASA-4-405103|%PIX-4-405103|%FWSM-4-405103; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000769; sid: 5000769; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded"; program: %ASA-4-407001|%PIX-4-407001|%FWSM-4-407001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000770; sid: 5000770; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropped UDP SNMP packet"; program: %ASA-4-416001|%PIX-4-416001|%FWSM-4-416001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000771; sid: 5000771; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Filter violation error conn number"; program: %ASA-4-417004|%PIX-4-417004|%FWSM-4-417004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000772; sid: 5000772; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Through-the-device packet to/from management-only network is denied"; program: %ASA-4-418001|%PIX-4-418001|%FWSM-4-418001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000773; sid: 5000773; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping TCP packet, reason MSS exceeded, MSS size, data size"; program: %ASA-4-419001|%PIX-4-419001|%FWSM-4-419001; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5000774; sid: 5000774; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTP conformance Dropping RTP packet"; program: %ASA-4-431001|%PIX-4-431001|%FWSM-4-431001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000775; sid: 5000775; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTCP conformance Dropping RTCP packet"; program: %ASA-4-431002|%PIX-4-431002|%FWSM-4-431002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000776; sid: 5000776; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too small"; program: %ASA-4-608002|%PIX-4-608002|%FWSM-4-608002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000777; sid: 5000777; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too large"; program: %ASA-4-608003|%PIX-4-608003|%FWSM-4-608003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000778; sid: 5000778; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value not allowed"; program: %ASA-4-608004|%PIX-4-608004|%FWSM-4-608004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000779; sid: 5000779; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value registration not complete"; program: %ASA-4-608005|%PIX-4-608005|%FWSM-4-608005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000780; sid: 5000780; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA-4-612002|%PIX-4-612002|%FWSM-4-612002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000781; sid: 5000781; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA-4-612003|%PIX-4-612003|%FWSM-4-612003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000782; sid: 5000782; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] DNS lookup for Server failed!"; program: %ASA-4-713154|%PIX-4-713154|%FWSM-4-713154; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000783; sid: 5000783; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Name lookup failed for hostname during PKI operation"; program: %ASA-4-717026|%PIX-4-717026|%FWSM-4-717026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000784; sid: 5000784; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to find a suitable trustpoint for issuer"; program: %ASA-4-717031|%PIX-4-717031|%FWSM-4-717031; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000785; sid: 5000785; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel group search using certificate maps failed"; program: %ASA-4-717037|%PIX-4-717037; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000786; sid: 5000786; rev: 2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP address end configuration {FAILED|OK}"; program: %ASA-5-111004|%PIX-5-111004|%FWSM-5-111004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000787; sid: 5000787; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection"; program: %ASA-5-303004|%PIX-5-303004|%FWSM-5-303004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000788; sid: 5000788; rev: 4;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL chars"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "http://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000789; sid: 5000789; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1]"; program: %ASA-5-305013|%PIX-5-305013|%FWSM-5-305013; threshold: type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000790; sid: 5000790; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP association failed to establish"; program: %ASA-5-334003|%PIX-5-334003|%FWSM-5-334003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000791; sid: 5000791; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP failed to get a response from host"; program: %ASA-5-334006|%PIX-5-334006|%FWSM-5-334006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000792; sid: 5000792; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] HTTP - matched string in policy-map verification failed"; program: %ASA-5-415004|%PIX-5-415004|%FWSM-5-415004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000793; sid: 5000793; rev: 3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad TCP hdr length - Possible network scan"; program: %ASA-5-500003|%PIX-5-500003|%FWSM-5-500003; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000794; sid: 5000794; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE area failed to find centry for message"; program: %ASA-5-713010|%PIX-5-713010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000796; sid: 5000796; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision"; program: %ASA-5-713092|%PIX-5-713092; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000797; sid: 5000797; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Ignoring received malformed firewall record"; program: %ASA-5-713144|%PIX-5-713144|%FWSM-5-713144; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000798; sid: 5000798; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create peer failure, already at maximum of number of peers"; program: %ASA-5-718002|%PIX-5-718002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000800; sid: 5000800; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to send to IP"; program: %ASA-5-718005|%PIX-5-718005|%FWSM-5-718005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000801; sid: 5000801; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket open failure"; program: %ASA-5-718007|%PIX-5-718007|%FWSM-5-718007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000802; sid: 5000802; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket bind failure"; program: %ASA-5-718008|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000803; sid: 5000803; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO response failure"; program: %ASA-5-718009|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000804; sid: 5000804; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO request failure"; program: %ASA-5-718011|%PIX-5-718011|%FWSM-5-718011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000805; sid: 5000805; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send CFG UPDATE failure"; program: %ASA-5-718024|%PIX-5-718024|%FWSM-5-718024; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000806; sid: 5000806; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send OOS indicator failure"; program: %ASA-5-718028|%PIX-5-718028|%FWSM-5-718028; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000807; sid: 5000807; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send TOPOLOGY indicator failure"; program: %ASA-5-718033|%PIX-5-718033|%FWSM-5-718033; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000808; sid: 5000808; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create of secure tunnel failure"; program: %ASA-5-718048|%PIX-5-718048; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000809; sid: 5000809; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Delete of secure tunnel failure"; program: %ASA-5-718050|%PIX-5-718050; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000810; sid: 5000810; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Queue send failure from ISR"; program: %ASA-5-718057|%PIX-5-718057; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000811; sid: 5000811; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket select fail"; program: %ASA-5-718060|%PIX-5-718060|%FWSM-5-718060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000812; sid: 5000812; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket read fail"; program: %ASA-5-718061|%PIX-5-718061|%FWSM-5-718061; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000813; sid: 5000813; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cannot continue to run"; program: %ASA-5-718065|%PIX-5-718065|%FWSM-5-718065; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000814; sid: 5000814; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create access list for peer"; program: %ASA-5-718074|%PIX-5-718074|%FWSM-5-718074; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000815; sid: 5000815; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create tunnel group for peer"; program: %ASA-5-718076|%PIX-5-718076; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000816; sid: 5000816; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete tunnel group for peer"; program: %ASA-5-718077|%PIX-5-718077; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000817; sid: 5000817; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto map for peer"; program: %ASA-5-718078|%PIX-5-718078; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000818; sid: 5000818; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto map for peer"; program: %ASA-5-718079|%PIX-5-718079; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000819; sid: 5000819; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto policy for peer"; program: %ASA-5-718080|%PIX-5-718080; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000820; sid: 5000820; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto policy for peer"; program: %ASA-5-718081|%PIX-5-718081; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000821; sid: 5000821; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to install LB NP rules"; program: %ASA-5-718086|%PIX-5-718086; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000822; sid: 5000822; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete LB NP rules"; program: %ASA-5-718087|%PIX-5-718087; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000823; sid: 5000823; rev: 2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP [0/5]"; program: %ASA-6-106012|%PIX-6-106012|%FWSM-6-106012; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000824; sid: 5000824; rev: 5;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny TCP [no connection]"; program: %ASA-6-106015|%PIX-6-106015|%FWSM-6-106015; normalize: cisco; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000825; sid: 5000825; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA-6-106025|%PIX-6-106025|%FWSM-6-106025; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000826; sid: 5000826; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA-6-106026|%PIX-6-106026|%FWSM-6-106026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000827; sid: 5000827; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol"; program: %ASA-6-106100|%PIX-6-106100|%FWSM-6-106100; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000828; sid: 5000828; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface"; program: %ASA-6-109002|%PIX-6-109002|%FWSM-6-109002; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000829; sid: 5000829; rev: 4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface"; program: %ASA-6-109003|%PIX-6-109003|%FWSM-6-109002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000830; sid: 5000830; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for user [0/5]"; program: %ASA-6-109006|%PIX-6-109006|%FWSM-6-109006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000831; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000831; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization permitted for user"; program: %ASA-6-109007|%PIX-6-109007|%FWSM-6-109007; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000832; sid: 5000832; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user from outside to inside on interface"; program: %ASA-6-109008|%PIX-6-109008|%FWSM-6-109008; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000833; sid: 5000833; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied [not authenticated]"; program: %ASA-6-109024|%PIX-6-109024|%FWSM-6-109024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000834; sid: 5000834; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user"; program: %ASA-6-109025|%PIX-6-109025|%FWSM-6-109025; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000835; sid: 5000835; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts"; program: %ASA-6-113006|%PIX-6-113006|%FWSM-6-113006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000836; sid: 5000836; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA unable to complete the request"; program: %ASA-6-113013|%PIX-6-113013|%FWSM-6-113013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000837; sid: 5000837; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] URL Server request failed URL"; program: %ASA-6-304004|%PIX-6-304004|%FWSM-6-304004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000838; sid: 5000838; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP hdr failed"; program: %ASA-6-312001|%PIX-6-312001|%FWSM-6-312001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000839; sid: 5000839; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No management IP address configured for transparent firewall"; program: %ASA-6-322004|%PIX-6-322004|%FWSM-6-322004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000840; sid: 5000840; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC is disabled for host"; program: %ASA-6-335004|%PIX-6-335004|%FWSM-6-335004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000841; sid: 5000841; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Login denied [Brute Force] [10/1]"; program: %ASA-6-605004|%PIX-6-605004|%FWSM-6-605004; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000842; sid: 5000842; rev: 8;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization failed"; program: %ASA-6-610101|%PIX-6-610101|%FWSM-6-610101; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000843; sid: 5000843; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed [0/5]"; program: %ASA-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000844; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000844; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VNPClient XAUTH Failed"; program: %ASA-6-611311|%PIX-6-611311; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000845; sid: 5000845; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled"; program: %ASA-6-611317|%PIX-6-611317; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000846; sid: 5000846; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient User Authentication Disabled"; program: %ASA-6-611319|%PIX-6-611319; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000847; sid: 5000847; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Device Pass Thru Disabled"; program: %ASA-6-611321|%PIX-6-611321; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000848; sid: 5000848; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled"; program: %ASA-6-611322|%PIX-6-611322; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000849; sid: 5000849; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Checksum Failure in database"; program: %ASA-6-613001|%PIX-6-613001|%FWSM-6-613001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000850; sid: 5000850; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number not available for firewall interface"; program: %ASA-6-615001|%PIX-6-615001|%FWSM-6-615001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000851; sid: 5000851; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number available for firewall interface"; program: %ASA-6-615002|%PIX-6-615002|%FWSM-6-615002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000852; sid: 5000852; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad register"; program: %ASA-6-621007|%PIX-6-621007|%FWSM-6-621007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000853; sid: 5000853; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1]"; program: %ASA-6-713235|%PIX-6-713235|%FWSM-6-713235; type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000854; sid: 5000854; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint"; program: %ASA-6-717003|%PIX-6-717003|%FWSM-6-717003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000855; sid: 5000855; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 export failed"; program: %ASA-6-717004|%PIX-6-717004|%FWSM-6-717004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000856; sid: 5000856; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 import failed"; program: %ASA-6-717006|%PIX-6-717006|%FWSM-6-717006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000857; sid: 5000857; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] uauth_lookup_net fail for uauth_in"; program: %ASA-7-109014|%PIX-7-109014|%FWSM-7-109014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000858; sid: 5000858; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Uauth null proxy error"; program: %ASA-7-109021|%PIX-7-109021|%FWSM-7-109021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000859; sid: 5000859; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send failure"; program: %ASA-7-713039|%PIX-7-713039|%FWSM-7-713039; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000861; sid: 5000861; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder!"; program: %ASA-7-713094|%PIX-7-713094|%FWSM-7-713094; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000862; sid: 5000862; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation"; program: %ASA-7-713104|%PIX-7-713104; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000863; sid: 5000863; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Processing firewall record"; program: %ASA-7-713143|%PIX-7-713143|%FWSM-7-713143; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000864; sid: 5000864; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1]"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; program: %ASA-7-713160|%PIX-7-713160|%FWSM-7-713160; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000865; sid: 5000865; rev: 5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The Firewall Server has requested a list of active user sessions"; program: %ASA-7-713164|%PIX-7-713164|%FWSM-7-713164; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000866; sid: 5000866; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Got bad refCnt assigning"; program: %ASA-7-713190|%PIX-7-713190|%FWSM-7-713190; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000867; sid: 5000867; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine Q Send failure RetCode"; program: %ASA-7-715004|%PIX-7-715004|%FWSM-7-715004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000868; sid: 5000868; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine name Bad message code Cod"; program: %ASA-7-715005|%PIX-7-715005|%FWSM-7-715005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000869; sid: 5000869; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE received response to a request from the utility"; program: %ASA-7-715042|%PIX-7-715042; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000870; sid: 5000870; rev: 2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ERROR malformed Keepalive payload"; program: %ASA-7-715045|%PIX-7-715045|%FWSM-7-715045; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000871; sid: 5000871; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Claims to be IOS but failed authentication"; program: %ASA-7-715050|%PIX-7-715050|%FWSM-7-715050; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000872; sid: 5000872; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped received IKE fragment"; program: %ASA-7-715060|%PIX-7-715060|%FWSM-7-715060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000873; sid: 5000873; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous"; program: %ASA-7-715062|%PIX-7-715062|%FWSM-7-715062; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000874; sid: 5000874; rev: 3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE state_machine subtype FSM error history"; program: %ASA-7-715065|%PIX-7-715065|%FWSM-7-715065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000875; sid: 5000875; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal interprocess communication queue send failure"; program: %ASA-7-718001|%PIX-7-718001|%FWSM-7-718001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000876; sid: 5000876; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE request failure"; program: %ASA-7-718018|%PIX-7-718018|%FWSM-7-718018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000877; sid: 5000877; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE response failure"; program: %ASA-7-718020|%PIX-7-718020|%FWSM-7-718020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000878; sid: 5000878; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create group"; program: %ASA-7-718047|%PIX-7-718047|%FWSM-7-718047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000879; sid: 5000879; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Creation of group policy"; program: %ASA-7-718046|%PIX-7-718046|%FWSM-7-718046; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000880; sid: 5000880; rev: 3;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-7-304002; content: "http://"; classtype: policy-violation; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001086; sid: 5001086; rev: 4;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication successful [0/5]"; program: %ASA-6-113004|%PIX-6-113004|%FWSM-6-113004; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001087; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001087; rev: 6;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject [0/5]"; program: %ASA-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001092; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001092; rev: 5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1]"; program: %ASA-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001593; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; sid: 5001593; rev: 6;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Disconnect by SSH server"; program: %ASA-6-315011|%PIX-6-315011|%FWSM-6-315011; classtype: system-event; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001088; sid: 5001088; rev: 2;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL chars - HTTPS"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5001089; sid: 5001089; rev: 3;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL - HTTPS"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001091; sid: 5001091; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed - Brute force [5/1]"; program: %ASA-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001654; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 5, seconds 300; sid: 5001654; rev: 4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1]"; program: %ASA-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001714; normalize: cisco; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 25, seconds 300; sid: 5001714; rev: 5;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL"; program: %ASA-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001715; parse_src_ip: 1; parse_dst_ip: 2; parse_port; sid: 5001715; rev: 1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] WebVPN console/admin failed"; program: %ASA-3-113021; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5001963; sid: 5001963; rev: 1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed"; program: %ASA*-3-305006|%PIX-3-305006|%FWSM-3-305006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000675; sid: 5000675; rev: 3;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA*-3-313001|%PIX-3-313001|%FWSM-3-313001; classtype: bad-unknown; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5000676; sid: 5000676; rev: 5;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMPv6"; program: %ASA*-3-313008|%PIX-3-313008|%FWSM-3-313008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000677; sid: 5000677; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed"; program: %ASA*-3-315004|%PIX-3-315004|%FWSM-3-315004; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000678; sid: 5000678; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied new tunnel limit exceeded"; program: %ASA*-3-316001|%PIX-3-316001|%FWSM-3-316001; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000679; sid: 5000679; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP routing table creation failure"; program: %ASA*-3-317003|%PIX-3-317003|%FWSM-3-317003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000681; sid: 5000681; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA*-3-318001|%PIX-3-318001|%FWSM-3-318001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000682; sid: 5000682; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Arp update for IP address address to NPn failed"; program: %ASA*-3-319003|%PIX-3-319003|%FWSM-3-319003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000683; sid: 5000683; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Route update for IP address failed"; program: %ASA*-3-319004|%PIX-3-319004|%FWSM-3-319004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000684; sid: 5000684; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny MAC address possible spoof attempt"; program: %ASA*-3-322001|%PIX-3-322001|%FWSM-3-322001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000685; sid: 5000685; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [1]"; program: %ASA*-3-322002|%PIX-3-322002|%FWSM-3-322002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000686; sid: 5000686; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [2]"; program: %ASA*-3-322003|%PIX-3-322003|%FWSM-3-322003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000687; sid: 5000687; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] GSN tunnel limit exceeded"; program: %ASA*-3-324006|%PIX-3-324006|%FWSM-3-324006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000690; sid: 5000690; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Radius Accounting Request has a bad header length"; program: %ASA*-3-324301|%PIX-3-324301|%FWSM-3-324301; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000691; sid: 5000691; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected error in the timer library"; program: %ASA*-3-326001|%PIX-3-326001|%FWSM-3-326001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000692; sid: 5000692; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326002|%PIX-3-326002|%FWSM-3-326002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000693; sid: 5000693; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA*-3-326004|%PIX-3-326004|%FWSM-3-326004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000694; sid: 5000694; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Mrib notification failed"; program: %ASA*-3-326005|%PIX-3-326005|%FWSM-3-326005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000695; sid: 5000695; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-creation failed"; program: %ASA*-3-326006|%PIX-3-326006|%FWSM-3-326006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000696; sid: 5000696; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-update failed"; program: %ASA*-3-326007|%PIX-3-326007|%FWSM-3-326007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000697; sid: 5000697; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB registration failed"; program: %ASA*-3-326008|%PIX-3-326008|%FWSM-3-326008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000698; sid: 5000698; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB connection-open failed"; program: %ASA*-3-326009|%PIX-3-326009|%FWSM-3-326009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000699; sid: 5000699; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB unbind failed"; program: %ASA*-3-326010|%PIX-3-326010|%FWSM-3-326010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000700; sid: 5000700; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB table deletion failed"; program: %ASA*-3-326011|%PIX-3-326011|%FWSM-3-326011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000701; sid: 5000701; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization of string functionality failed"; program: %ASA*-3-326012|%PIX-3-326012|%FWSM-3-326012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000702; sid: 5000702; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA*-3-326013|%PIX-3-326013|%FWSM-3-326013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000703; sid: 5000703; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization failed"; program: %ASA*-3-326014|%PIX-3-326014|%FWSM-3-326014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000704; sid: 5000704; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Communication error"; program: %ASA*-3-326015|%PIX-3-326015|%FWSM-3-326015; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000705; sid: 5000705; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set un-numbered interface"; program: %ASA*-3-326016|%PIX-3-326016|%FWSM-3-326016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000706; sid: 5000706; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Interface Manager error"; program: %ASA*-3-326017|%PIX-3-326017|%FWSM-3-326017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000707; sid: 5000707; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] List error"; program: %ASA*-3-326020|%PIX-3-326020|%FWSM-3-326020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000708; sid: 5000708; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326021|%PIX-3-326021|%FWSM-3-326021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000709; sid: 5000709; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326022|%PIX-3-326022|%FWSM-3-326022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000710; sid: 5000710; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA*-3-326024|%PIX-3-326024|%FWSM-3-326024; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000711; sid: 5000711; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Server unexpected error"; program: %ASA*-3-326026|%PIX-3-326026|%FWSM-3-326026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000712; sid: 5000712; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Corrupted update"; program: %ASA*-3-326027|%PIX-3-326027|%FWSM-3-326027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000713; sid: 5000713; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asynchronous error"; program: %ASA*-3-326028|%PIX-3-326028|%FWSM-3-326028; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000714; sid: 5000714; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work"; program: %ASA*-3-327002|%PIX-3-327002|%FWSM-3-327002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000715; sid: 5000715; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize"; program: %ASA*-3-327003|%PIX-3-327003|%FWSM-3-327003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000716; sid: 5000716; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped"; program: %ASA*-3-403501|%PIX-3-403501|%FWSM-3-403501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000717; sid: 5000717; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet"; program: %ASA*-3-403502|%PIX-3-403502|%FWSM-3-403502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000718; sid: 5000718; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group"; program: %ASA*-3-403507|%PIX-3-403507|%FWSM-3-403507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000719; sid: 5000719; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] Failed to save logging buffer using filename to FTP server"; program: %ASA*-3-414001|%PIX-3-414001|%FWSM-3-414001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000720; sid: 5000720; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename"; program: %ASA*-3-414002|%PIX-3-414002|%FWSM-3-414002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000721; sid: 5000721; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Packet denied"; program: %ASA*-3-610001|%PIX-3-610001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000722; sid: 5000722; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Authentication failed"; program: %ASA*-3-610002|%PIX-3-610002|%FWSM-3-610002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000723; sid: 5000723; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Backup Server List Error"; program: %ASA*-3-611313|%PIX-3-611313; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000724; sid: 5000724; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error processing payload"; program: %ASA*-3-713048|%PIX-3-713048|%FWSM-3-713048; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000725; sid: 5000725; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed"; program: %ASA*-3-713059|%PIX-3-713059; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000726; sid: 5000726; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User not member of group, check failed"; program: %ASA*-3-713060|%PIX-3-713060; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000727; sid: 5000727; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to retrieve identity certificate"; program: %ASA*-3-713082|%PIX-3-713082; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000728; sid: 5000728; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group"; program: %ASA*-3-713088|%PIX-3-713088; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000729; sid: 5000729; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Request attempt failed!"; program: %ASA*-3-713107|%PIX-3-713107; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000730; sid: 5000730; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to process CONNECTED notify!"; program: %ASA*-3-713112|%PIX-3-713112; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000731; sid: 5000731; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel"; program: %ASA*-3-713141|%PIX-3-713141; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000732; sid: 5000732; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel"; program: %ASA*-3-713142|%PIX--3-713142; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000733; sid: 5000733; rev: 2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access"; program: %ASA*-3-713159|%PIX-3-713159; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000734; sid: 5000734; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server"; program: %ASA*-3-713161|%PIX-3-713161; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000735; sid: 5000735; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been rejected by the Firewall Server"; program: %ASA*-3-713162|%PIX-3-713162; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000736; sid: 5000736; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been terminated by the Firewall Server"; program: %ASA*-3-713163|%PIX-3-713163; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000737; sid: 5000737; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password"; program: %ASA*-3-713166|%PIX-3-713166; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000738; sid: 5000738; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5]"; program: %ASA*-3-713167|%PIX-3-713167; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000739; sid: 5000739; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error Username too long - connection aborted"; program: %ASA*-3-713185|%PIX-3-713185; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000740; sid: 5000740; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User Authorization failed"; program: %ASA*-3-713198|%PIX-3-713198|%FWSM-3-713198; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000741; sid: 5000741; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE Receiver Error reading from socket"; program: %ASA*-3-713203|%PIX-3-713203; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000742; sid: 5000742; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection failed with peer, no trust-point defined"; program: %ASA*-3-713226|%PIX-3-713226; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000743; sid: 5000743; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked"; program: %ASA*-3-713230|%PIX-3-713230|%FWSM-3-713230; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000744; sid: 5000744; rev: 4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked"; program: %ASA*-3-713231|%PIX-3-713231|%FWSM-3-713231; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000745; sid: 5000745; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Querying keypair failed"; program: %ASA*-3-717001|%PIX-3-717001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000746; sid: 5000746; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate enrollment failed for trustpoint"; program: %ASA*-3-717002|%PIX-3-717002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000747; sid: 5000747; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate validation failed"; program: %ASA*-3-717009|%PIX-3-717009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000748; sid: 5000748; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRL polling failed for trustpoint"; program: %ASA*-3-717010|%PIX-3-717010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000749; sid: 5000749; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint"; program: %ASA*-3-717012|%PIX-3-717012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000750; sid: 5000750; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to query CA certificate for trustpoint"; program: %ASA*-3-717017|%PIX-3-717017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000751; sid: 5000751; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to insert CRL for trustpoint"; program: %ASA*-3-717019|%PIX-3-717019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000752; sid: 5000752; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL failed to set device certificate for trustpoint"; program: %ASA*-3-717023|%PIX-3-717023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000753; sid: 5000753; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate chain failed validation"; program: %ASA*-3-717027|%PIX-3-717027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000754; sid: 5000754; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol"; program: %ASA*-4-106023|%PIX-4-106023|%FWSM-4-106023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000755; sid: 5000755; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan"; program: %ASA*-4-106027|%PIX-4-106027|%FWSM-4-106027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000756; sid: 5000756; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username."; program: %ASA*-4-109031|%PIX-4-109031|%FWSM-4-109031; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000757; sid: 5000757; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for admin user"; program: %ASA*-4-109033|%PIX-4-109033|%FWSM-4-109033; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000758; sid: 5000758; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for network user"; program: %ASA*-4-109034|%PIX-4-109034|%FWSM-4-109034; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000759; sid: 5000759; rev: 3;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA*-4-313004|%PIX-4-313004|%FWSM-4-313004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000760; sid: 5000760; rev: 3;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No matching connection for ICMP error"; program: %ASA*-4-313005|%PIX-4-313005|%FWSM-4-313005; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000761; sid: 5000761; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC Downloaded ACL parse failure"; program: %ASA*-4-335005|%PIX-4-335005|%FWSM-4-335005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000762; sid: 5000762; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Shun add failed unable to allocate resources"; program: %ASA*-4-401005|%PIX-4-401005|%FWSM-4-401005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000763; sid: 5000763; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5]"; program: %ASA*-4-402119|%PIX-4-402119|%FWSM-4-402119; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000764; sid: 5000764; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an ESP packet from remote IP to local IP that failed authentication [0/5]"; program: %ASA*-4-402120|%PIX-4-402120; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 3; reference: url, wiki.quadrantsec.com/bin/view/Main/5000765; sid: 5000765; rev: 7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command"; program: %ASA*-4-402123|%PIX-4-402123|%FWSM-4-402123; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000766; sid: 5000766; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE failed to assign PPP IP address"; program: %ASA*-4-403506|%PIX-4-403506|%FWSM-4-403506; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000767; sid: 5000767; rev: 3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string"; program: %ASA*-4-404101|%PIX-4-404101|%FWSM-4-404101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000768; sid: 5000768; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H225 message contains bad protocol discriminator hex"; program: %ASA*-4-405103|%PIX-4-405103|%FWSM-4-405103; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000769; sid: 5000769; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded"; program: %ASA*-4-407001|%PIX-4-407001|%FWSM-4-407001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000770; sid: 5000770; rev: 3;) +alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropped UDP SNMP packet"; program: %ASA*-4-416001|%PIX-4-416001|%FWSM-4-416001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000771; sid: 5000771; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Filter violation error conn number"; program: %ASA*-4-417004|%PIX-4-417004|%FWSM-4-417004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000772; sid: 5000772; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Through-the-device packet to/from management-only network is denied"; program: %ASA*-4-418001|%PIX-4-418001|%FWSM-4-418001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000773; sid: 5000773; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping TCP packet, reason MSS exceeded, MSS size, data size"; program: %ASA*-4-419001|%PIX-4-419001|%FWSM-4-419001; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5000774; sid: 5000774; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTP conformance Dropping RTP packet"; program: %ASA*-4-431001|%PIX-4-431001|%FWSM-4-431001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000775; sid: 5000775; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTCP conformance Dropping RTCP packet"; program: %ASA*-4-431002|%PIX-4-431002|%FWSM-4-431002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000776; sid: 5000776; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too small"; program: %ASA*-4-608002|%PIX-4-608002|%FWSM-4-608002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000777; sid: 5000777; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too large"; program: %ASA*-4-608003|%PIX-4-608003|%FWSM-4-608003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000778; sid: 5000778; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value not allowed"; program: %ASA*-4-608004|%PIX-4-608004|%FWSM-4-608004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000779; sid: 5000779; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value registration not complete"; program: %ASA*-4-608005|%PIX-4-608005|%FWSM-4-608005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000780; sid: 5000780; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA*-4-612002|%PIX-4-612002|%FWSM-4-612002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000781; sid: 5000781; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA*-4-612003|%PIX-4-612003|%FWSM-4-612003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000782; sid: 5000782; rev: 3;) +alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] DNS lookup for Server failed!"; program: %ASA*-4-713154|%PIX-4-713154|%FWSM-4-713154; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000783; sid: 5000783; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Name lookup failed for hostname during PKI operation"; program: %ASA*-4-717026|%PIX-4-717026|%FWSM-4-717026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000784; sid: 5000784; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to find a suitable trustpoint for issuer"; program: %ASA*-4-717031|%PIX-4-717031|%FWSM-4-717031; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000785; sid: 5000785; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel group search using certificate maps failed"; program: %ASA*-4-717037|%PIX-4-717037; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000786; sid: 5000786; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP address end configuration {FAILED|OK}"; program: %ASA*-5-111004|%PIX-5-111004|%FWSM-5-111004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000787; sid: 5000787; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection"; program: %ASA*-5-303004|%PIX-5-303004|%FWSM-5-303004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000788; sid: 5000788; rev: 4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL chars"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "http://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000789; sid: 5000789; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1]"; program: %ASA*-5-305013|%PIX-5-305013|%FWSM-5-305013; threshold: type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000790; sid: 5000790; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP association failed to establish"; program: %ASA*-5-334003|%PIX-5-334003|%FWSM-5-334003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000791; sid: 5000791; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP failed to get a response from host"; program: %ASA*-5-334006|%PIX-5-334006|%FWSM-5-334006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000792; sid: 5000792; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] HTTP - matched string in policy-map verification failed"; program: %ASA*-5-415004|%PIX-5-415004|%FWSM-5-415004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000793; sid: 5000793; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad TCP hdr length - Possible network scan"; program: %ASA*-5-500003|%PIX-5-500003|%FWSM-5-500003; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000794; sid: 5000794; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE area failed to find centry for message"; program: %ASA*-5-713010|%PIX-5-713010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000796; sid: 5000796; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision"; program: %ASA*-5-713092|%PIX-5-713092; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000797; sid: 5000797; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Ignoring received malformed firewall record"; program: %ASA*-5-713144|%PIX-5-713144|%FWSM-5-713144; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000798; sid: 5000798; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create peer failure, already at maximum of number of peers"; program: %ASA*-5-718002|%PIX-5-718002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000800; sid: 5000800; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to send to IP"; program: %ASA*-5-718005|%PIX-5-718005|%FWSM-5-718005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000801; sid: 5000801; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket open failure"; program: %ASA*-5-718007|%PIX-5-718007|%FWSM-5-718007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000802; sid: 5000802; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket bind failure"; program: %ASA*-5-718008|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000803; sid: 5000803; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO response failure"; program: %ASA*-5-718009|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000804; sid: 5000804; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO request failure"; program: %ASA*-5-718011|%PIX-5-718011|%FWSM-5-718011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000805; sid: 5000805; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send CFG UPDATE failure"; program: %ASA*-5-718024|%PIX-5-718024|%FWSM-5-718024; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000806; sid: 5000806; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send OOS indicator failure"; program: %ASA*-5-718028|%PIX-5-718028|%FWSM-5-718028; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000807; sid: 5000807; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send TOPOLOGY indicator failure"; program: %ASA*-5-718033|%PIX-5-718033|%FWSM-5-718033; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000808; sid: 5000808; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create of secure tunnel failure"; program: %ASA*-5-718048|%PIX-5-718048; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000809; sid: 5000809; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Delete of secure tunnel failure"; program: %ASA*-5-718050|%PIX-5-718050; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000810; sid: 5000810; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Queue send failure from ISR"; program: %ASA*-5-718057|%PIX-5-718057; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000811; sid: 5000811; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket select fail"; program: %ASA*-5-718060|%PIX-5-718060|%FWSM-5-718060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000812; sid: 5000812; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket read fail"; program: %ASA*-5-718061|%PIX-5-718061|%FWSM-5-718061; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000813; sid: 5000813; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cannot continue to run"; program: %ASA*-5-718065|%PIX-5-718065|%FWSM-5-718065; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000814; sid: 5000814; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create access list for peer"; program: %ASA*-5-718074|%PIX-5-718074|%FWSM-5-718074; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000815; sid: 5000815; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create tunnel group for peer"; program: %ASA*-5-718076|%PIX-5-718076; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000816; sid: 5000816; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete tunnel group for peer"; program: %ASA*-5-718077|%PIX-5-718077; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000817; sid: 5000817; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto map for peer"; program: %ASA*-5-718078|%PIX-5-718078; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000818; sid: 5000818; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto map for peer"; program: %ASA*-5-718079|%PIX-5-718079; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000819; sid: 5000819; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto policy for peer"; program: %ASA*-5-718080|%PIX-5-718080; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000820; sid: 5000820; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto policy for peer"; program: %ASA*-5-718081|%PIX-5-718081; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000821; sid: 5000821; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to install LB NP rules"; program: %ASA*-5-718086|%PIX-5-718086; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000822; sid: 5000822; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete LB NP rules"; program: %ASA*-5-718087|%PIX-5-718087; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000823; sid: 5000823; rev: 2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP [0/5]"; program: %ASA*-6-106012|%PIX-6-106012|%FWSM-6-106012; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000824; sid: 5000824; rev: 5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny TCP [no connection]"; program: %ASA*-6-106015|%PIX-6-106015|%FWSM-6-106015; normalize; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000825; sid: 5000825; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA*-6-106025|%PIX-6-106025|%FWSM-6-106025; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000826; sid: 5000826; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA*-6-106026|%PIX-6-106026|%FWSM-6-106026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000827; sid: 5000827; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol"; program: %ASA*-6-106100|%PIX-6-106100|%FWSM-6-106100; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000828; sid: 5000828; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface"; program: %ASA*-6-109002|%PIX-6-109002|%FWSM-6-109002; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000829; sid: 5000829; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface"; program: %ASA*-6-109003|%PIX-6-109003|%FWSM-6-109002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000830; sid: 5000830; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for user [0/5]"; program: %ASA*-6-109006|%PIX-6-109006|%FWSM-6-109006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000831; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000831; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization permitted for user"; program: %ASA*-6-109007|%PIX-6-109007|%FWSM-6-109007; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000832; sid: 5000832; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user from outside to inside on interface"; program: %ASA*-6-109008|%PIX-6-109008|%FWSM-6-109008; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000833; sid: 5000833; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied [not authenticated]"; program: %ASA*-6-109024|%PIX-6-109024|%FWSM-6-109024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000834; sid: 5000834; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user"; program: %ASA*-6-109025|%PIX-6-109025|%FWSM-6-109025; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000835; sid: 5000835; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts"; program: %ASA*-6-113006|%PIX-6-113006|%FWSM-6-113006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000836; sid: 5000836; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA unable to complete the request"; program: %ASA*-6-113013|%PIX-6-113013|%FWSM-6-113013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000837; sid: 5000837; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] URL Server request failed URL"; program: %ASA*-6-304004|%PIX-6-304004|%FWSM-6-304004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000838; sid: 5000838; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP hdr failed"; program: %ASA*-6-312001|%PIX-6-312001|%FWSM-6-312001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000839; sid: 5000839; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No management IP address configured for transparent firewall"; program: %ASA*-6-322004|%PIX-6-322004|%FWSM-6-322004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000840; sid: 5000840; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC is disabled for host"; program: %ASA*-6-335004|%PIX-6-335004|%FWSM-6-335004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000841; sid: 5000841; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Login denied [Brute Force] [10/1]"; program: %ASA*-6-605004|%PIX-6-605004|%FWSM-6-605004; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000842; flowbits: set,brute_force,21600; sid: 5000842; rev: 9;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization failed"; program: %ASA*-6-610101|%PIX-6-610101|%FWSM-6-610101; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000843; sid: 5000843; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed [0/5]"; program: %ASA*-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000844; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000844; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VNPClient XAUTH Failed"; program: %ASA*-6-611311|%PIX-6-611311; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000845; sid: 5000845; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled"; program: %ASA*-6-611317|%PIX-6-611317; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000846; sid: 5000846; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient User Authentication Disabled"; program: %ASA*-6-611319|%PIX-6-611319; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000847; sid: 5000847; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Device Pass Thru Disabled"; program: %ASA*-6-611321|%PIX-6-611321; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000848; sid: 5000848; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled"; program: %ASA*-6-611322|%PIX-6-611322; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000849; sid: 5000849; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Checksum Failure in database"; program: %ASA*-6-613001|%PIX-6-613001|%FWSM-6-613001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000850; sid: 5000850; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number not available for firewall interface"; program: %ASA*-6-615001|%PIX-6-615001|%FWSM-6-615001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000851; sid: 5000851; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number available for firewall interface"; program: %ASA*-6-615002|%PIX-6-615002|%FWSM-6-615002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000852; sid: 5000852; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad register"; program: %ASA*-6-621007|%PIX-6-621007|%FWSM-6-621007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000853; sid: 5000853; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1]"; program: %ASA*-6-713235|%PIX-6-713235|%FWSM-6-713235; type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000854; sid: 5000854; rev: 5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint"; program: %ASA*-6-717003|%PIX-6-717003|%FWSM-6-717003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000855; sid: 5000855; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 export failed"; program: %ASA*-6-717004|%PIX-6-717004|%FWSM-6-717004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000856; sid: 5000856; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 import failed"; program: %ASA*-6-717006|%PIX-6-717006|%FWSM-6-717006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000857; sid: 5000857; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] uauth_lookup_net fail for uauth_in"; program: %ASA*-7-109014|%PIX-7-109014|%FWSM-7-109014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000858; sid: 5000858; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Uauth null proxy error"; program: %ASA*-7-109021|%PIX-7-109021|%FWSM-7-109021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000859; sid: 5000859; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send failure"; program: %ASA*-7-713039|%PIX-7-713039|%FWSM-7-713039; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000861; sid: 5000861; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder!"; program: %ASA*-7-713094|%PIX-7-713094|%FWSM-7-713094; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000862; sid: 5000862; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation"; program: %ASA*-7-713104|%PIX-7-713104; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000863; sid: 5000863; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Processing firewall record"; program: %ASA*-7-713143|%PIX-7-713143|%FWSM-7-713143; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000864; sid: 5000864; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1]"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; program: %ASA*-7-713160|%PIX-7-713160|%FWSM-7-713160; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000865; flowbits: set,brute_force,21600; sid: 5000865; rev: 6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The Firewall Server has requested a list of active user sessions"; program: %ASA*-7-713164|%PIX-7-713164|%FWSM-7-713164; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000866; sid: 5000866; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Got bad refCnt assigning"; program: %ASA*-7-713190|%PIX-7-713190|%FWSM-7-713190; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000867; sid: 5000867; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine Q Send failure RetCode"; program: %ASA*-7-715004|%PIX-7-715004|%FWSM-7-715004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000868; sid: 5000868; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine name Bad message code Cod"; program: %ASA*-7-715005|%PIX-7-715005|%FWSM-7-715005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000869; sid: 5000869; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE received response to a request from the utility"; program: %ASA*-7-715042|%PIX-7-715042; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000870; sid: 5000870; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ERROR malformed Keepalive payload"; program: %ASA*-7-715045|%PIX-7-715045|%FWSM-7-715045; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000871; sid: 5000871; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Claims to be IOS but failed authentication"; program: %ASA*-7-715050|%PIX-7-715050|%FWSM-7-715050; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000872; sid: 5000872; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped received IKE fragment"; program: %ASA*-7-715060|%PIX-7-715060|%FWSM-7-715060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000873; sid: 5000873; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous"; program: %ASA*-7-715062|%PIX-7-715062|%FWSM-7-715062; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000874; sid: 5000874; rev: 3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE state_machine subtype FSM error history"; program: %ASA*-7-715065|%PIX-7-715065|%FWSM-7-715065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000875; sid: 5000875; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal interprocess communication queue send failure"; program: %ASA*-7-718001|%PIX-7-718001|%FWSM-7-718001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000876; sid: 5000876; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE request failure"; program: %ASA*-7-718018|%PIX-7-718018|%FWSM-7-718018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000877; sid: 5000877; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE response failure"; program: %ASA*-7-718020|%PIX-7-718020|%FWSM-7-718020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000878; sid: 5000878; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create group"; program: %ASA*-7-718047|%PIX-7-718047|%FWSM-7-718047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000879; sid: 5000879; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Creation of group policy"; program: %ASA*-7-718046|%PIX-7-718046|%FWSM-7-718046; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000880; sid: 5000880; rev: 3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-7-304002; content: "http://"; classtype: policy-violation; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001086; sid: 5001086; rev: 5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication successful [0/5]"; program: %ASA*-6-113004|%PIX-6-113004|%FWSM-6-113004; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001087; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001087; rev: 6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject [0/5]"; program: %ASA*-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001092; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001092; rev: 5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1]"; program: %ASA*-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001593; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; flowbits: set,brute_force,21600; sid: 5001593; rev: 8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Disconnect by SSH server"; program: %ASA*-6-315011|%PIX-6-315011|%FWSM-6-315011; classtype: system-event; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001088; sid: 5001088; rev: 3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL chars - HTTPS"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5001089; sid: 5001089; rev: 3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL - HTTPS"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001091; sid: 5001091; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed - Brute force [5/1]"; program: %ASA*-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001654; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; sid: 5001654; rev: 5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1]"; program: %ASA*-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001714; normalize; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 25, seconds 300; flowbits: set,brute_force,21600; sid: 5001714; rev: 7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL"; program: %ASA*-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001715; parse_src_ip: 1; parse_dst_ip: 2; parse_port; sid: 5001715; rev: 1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] WebVPN console/admin failed"; program: %ASA*-3-113021; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5001963; sid: 5001963; rev: 1;) diff -Nru sagan-rules-10222015/cisco-prime.rules sagan-rules-20160923/cisco-prime.rules --- sagan-rules-10222015/cisco-prime.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-prime.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-prime.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,139 +33,139 @@ # The AP ''{0}'' with protocol ''{1}'' receives a message with a large NAV field and all traffic on the channel is suspended. This is most likely a malicious denial of service attack. # The system detected a possible denial of service attack and suspended all traffic to the affected channel. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] BIG NAV DOS Attack"; program: snmptrapd; content: "=AP_BIG_NAV_DOS_ATTACK|28|"; classtype: attempted-dos; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002122; sid:5002122; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] BIG NAV DOS Attack"; program: snmptrapd; content: "=AP_BIG_NAV_DOS_ATTACK|28|"; classtype: attempted-dos; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002122; sid:5002122; rev:2;) # AP_CONTAINED_AS_ROGUE # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # An access point is reporting that it is being contained as a rogue. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detect and contained"; program: snmptrapd; content: "=AP_CONTAINED_AS_ROGUE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002123; sid:5002123; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detect and contained"; program: snmptrapd; content: "=AP_CONTAINED_AS_ROGUE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002123; sid:5002123; rev:2;) # AP_MAX_ROGUE_COUNT_EXCEEDED # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # The number of rogues detected by a switch (controller) exceeds the internal threshold. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detected exceed theshold"; program: snmptrapd; content: "=AP_MAX_ROGUE_COUNT_EXCEEDED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002124; sid:5002124; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detected exceed theshold"; program: snmptrapd; content: "=AP_MAX_ROGUE_COUNT_EXCEEDED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002124; sid:5002124; rev:2;) # AUTHENTICATION_FAILURE # Switch ''{0}''. Authentication failure reported. # There was an SNMP authentication failure on the switch (controller). -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SNMP Authentication failure"; program: snmptrapd; content: "=AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002125; sid:5002125; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SNMP Authentication failure"; program: snmptrapd; content: "=AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002125; sid:5002125; rev:2;) # BSN_AUTHENTICATION_FAILURE # Switch ''{0}." User authentication from Switch ''{0}'' failed for username ''{1}'' and user type ''{2}." # A user authentication failure is reported for a local management user or a MAC filter is configured on the controller. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Authentication failure by local management user/MAC "; program: snmptrapd; content: "=BSN_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002126; sid:5002126; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Authentication failure by local management user/MAC "; program: snmptrapd; content: "=BSN_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002126; sid:5002126; rev:2;) # ROGUE_AP_DETECTED # Rogue AP or ad hoc rogue ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}." # The system has detected a rogue access point. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP or ADHOC detected"; program: snmptrapd; content: "=ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002127; sid:5002127; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP or ADHOC detected"; program: snmptrapd; content: "=ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002127; sid:5002127; rev:2;) # ROGUE_AP_ON_NETWORK # Rogue AP or ad hoc rogue ''{0}'' is on the wired network. # A rogue access point is found reachable through the wired network. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP on the network!"; program: snmptrapd; content: "=ROGUE_AP_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002128; sid:5002128; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP on the network!"; program: snmptrapd; content: "=ROGUE_AP_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002128; sid:5002128; rev:2;) # ROGUE_AP_REMOVED # Rogue AP or ad hoc rogue ''{0}'' is removed; it was detected as Rogue AP by AP ''{1}'' Radio type ''{2}.'' # The system is no longer detecting a rogue access point. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP has been removed"; program: snmptrapd; content: "=ROGUE_AP_REMOVED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002129; sid:5002129; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP has been removed"; program: snmptrapd; content: "=ROGUE_AP_REMOVED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002129; sid:5002129; rev:2;) # SENSED_TEMPERATURE_HIGH # The sensed temperature on the Switch ''{0}'' is too high. The current sensed temperature is ''{1}.'' # The internal temperature of the system has crossed the configured thresholds. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal high temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_HIGH|28|"; classtype: hardware-event; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002130; sid:5002130; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal high temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_HIGH|28|"; classtype: hardware-event; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002130; sid:5002130; rev:2;) # SENSED_TEMPERATURE_LOW # The sensed temperature on the Switch ''{0}'' is too low. The current sensed temperature is ''{1}.'' # The internal temperature of the device is below the configured limit in the system. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal low temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_LOW|28|"; classtype: hardware-event; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002131; sid:5002131; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal low temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_LOW|28|"; classtype: hardware-event; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002131; sid:5002131; rev:2;) # STATION_AUTHENTICATION_FAIL # Client ''{0}'' has failed authenticating with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # The system failed to authenticate a client. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station authentication failure"; program: snmptrapd; content: "=STATION_AUTHENTICATION_FAIL|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002132; sid:5002132; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station authentication failure"; program: snmptrapd; content: "=STATION_AUTHENTICATION_FAIL|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002132; sid:5002132; rev:2;) # STATION_ASSOCIATE_FAIL # Client ''{0}'' failed to associate with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # A client station failed to associate with the system. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station association failure"; program: snmptrapd; content: "=STATION_ASSOCIATE_FAIL|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002133; sid:5002133; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station association failure"; program: snmptrapd; content: "=STATION_ASSOCIATE_FAIL|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002133; sid:5002133; rev:2;) # STATION_BLACKLISTED # Client ''{0}'' which was associated with AP ''{1},'' interface ''{2}'' is excluded. The reason code is ''{3}.'' # A client is in the exclusion list and is not allowed to authenticate for a configured interval. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station blacklisted"; program: snmptrapd; content: "=STATION_BLACKLISTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002134; sid:5002134; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station blacklisted"; program: snmptrapd; content: "=STATION_BLACKLISTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002134; sid:5002134; rev:2;) # SWITCH_DETECTED_DUPLICATE_IP # Switch ''{0}'' detected duplicate IP address ''{0}'' being used by machine with mac address ''{1}.'' # The system has detected a duplicate IP address in the network that is assigned to the switch (controller). -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Duplicate IP address assigned to controller"; program: snmptrapd; content: "=SWITCH_DETECTED_DUPLICATE_IP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002135; sid:5002135; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Duplicate IP address assigned to controller"; program: snmptrapd; content: "=SWITCH_DETECTED_DUPLICATE_IP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002135; sid:5002135; rev:2;) # TOO_MANY_USER_UNSUCCESSFUL_LOGINS # User ''{1}'' with IP Address ''{0}'' has made too many unsuccessful login attempts. # A management user has made too many login attempts. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Possible brute force from management user!"; program: snmptrapd; content: "=TOO_MANY_USER_UNSUCCESSFUL_LOGINS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002136; sid:5002136; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Possible brute force from management user!"; program: snmptrapd; content: "=TOO_MANY_USER_UNSUCCESSFUL_LOGINS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002136; sid:5002136; rev:2;) # ADHOC_ROGUE_AUTO_CONTAINED # Adhoc Rogue ''{0}'' was found and is auto contained as per WPS policy. # An ad hoc rogue that the system has detected earlier is now clear. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC contained"; program: snmptrapd; content: "=ADHOC_ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002137; sid:5002137; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC contained"; program: snmptrapd; content: "=ADHOC_ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002137; sid:5002137; rev:2;) # ROGUE_AP_AUTO_CONTAINED # Rogue AP ''{0}'' is advertising our SSID and is auto contained as per WPS policy. # The system has automatically contained a rogue access point. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP auto contained"; program: snmptrapd; content: "=ROGUE_AP_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002138; sid:5002138; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP auto contained"; program: snmptrapd; content: "=ROGUE_AP_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002138; sid:5002138; rev:2;) # TRUSTED_AP_INVALID_ENCRYPTION # Trusted AP ''{0}'' is invalid encryption. It is using ''{1}'' instead of ''{2}." It is auto contained as per WPS policy. # The system automatically contained a trusted access point that has invalid encryption. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid encryption"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_ENCRYPTION|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002140; sid:5002140; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid encryption"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_ENCRYPTION|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002140; sid:5002140; rev:2;) # TRUSTED_AP_INVALID_RADIO_POLICY # Trusted AP ''{0}'' has invalid radio policy. It is using ''{1}'' instead of ''{2}." It has been auto contained as per WPS policy. # The system has contained a trusted access point with an invalid radio policy. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid radio policy"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_RADIO_POLICY|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002141; sid:5002141; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid radio policy"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_RADIO_POLICY|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002141; sid:5002141; rev:2;) # TRUSTED_AP_INVALID_SSID # Trusted AP ''{0}'' has invalid SSID. It was auto contained as per WPS policy. # The system has automatically contained a trusted access point for advertising an invalid SSID. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid SSID"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_SSID|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002142; sid:5002142; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid SSID"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_SSID|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002142; sid:5002142; rev:2;) # TRUSTED_AP_MISSING # Trusted AP ''{0}'' is missing or has failed. # The wireless system no longer detects a trusted access point. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP missing"; program: snmptrapd; content: "=TRUSTED_AP_MISSING|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002143; sid:5002143; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP missing"; program: snmptrapd; content: "=TRUSTED_AP_MISSING|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002143; sid:5002143; rev:2;) # AP_IMPERSONATION_DETECTED # AP Impersonation with MAC ''{0}'' is detected by authenticated AP ''{1}'' on ''{2}'' radio and Slot ID ''{3}.'' # A radio of an authenticated access point has heard from another access point whose MAC address neither matches that of a rogue nor is it an authenticated neighbor of the detecting access point. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] AP impersionation detected!"; program: snmptrapd; content: "=AP_IMPERSONATION_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002144; sid:5002144; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] AP impersionation detected!"; program: snmptrapd; content: "=AP_IMPERSONATION_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002144; sid:5002144; rev:2;) # SIGNATURE_ATTACK_DETECTED # IDS Signature attack detected on Switch ''{0}." The Signature Type is ''{1}," Signature Name is ''{2},'' and Signature description is ''{3}." # The switch (controller) is detecting a signature attack. The switch (controller) has a list of signatures that it monitors. When it detects a signature, it provides the name of the signature attack in the alert it generates. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002145; sid:5002145; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002145; sid:5002145; rev:2;) # AP_AUTHORIZATION_FAILURE # * Failed to authorize AP "{0}." Authorization entry does not exist in Controllers "{1}" AP Authorization List. @@ -174,179 +174,179 @@ # * Failed to authorize AP "{0}." AP has a self signed certificate where as the Controllers "{1}" AP authorization list has Manufactured Installed Certificate for this AP. # An alert is generated when an access point fails to associate with a controller due to authorization issues. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002146; sid:5002146; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002146; sid:5002146; rev:2;) # CISCO_LWAPP_MESH_CONSOLE_LOGIN # Console login successful or failed. # The console port provides the ability for the customer to change the username and password to recover the stranded outdoor access point. To prevent any unauthorized user access to the access point, the NCS sends an alarm when someone tries to log in. This alarm is required to provide protection because the access point is physically vulnerable being located outdoors. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH Console login"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_CONSOLE_LOGIN|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002147; sid:5002147; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH Console login"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_CONSOLE_LOGIN|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002147; sid:5002147; rev:2;) # CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE # Fails to authenticate with controller. # The NCS receives a trap from the controller. The trap contains the MAC addresses of those access points that failed authorization. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authorization failure"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002148; sid:5002148; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authorization failure"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002148; sid:5002148; rev:2;) # IDS_SHUN_CLIENT_TRAP # The Cisco Intrusion Detection System "{0}" has detected a possible intrusion attack by the wireless client "{1}." # This trap is generated in response to a shun client clear alert originated from a Cisco IDS/IPs appliance ("{0}") installed in the data path between the wireless client ("{1}") and the intranet of the site. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Shun client alert from IDS/IPS appliance!"; program: snmptrapd; content: "=IDS_SHUN_CLIENT_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002149; sid:5002149; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Shun client alert from IDS/IPS appliance!"; program: snmptrapd; content: "=IDS_SHUN_CLIENT_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002149; sid:5002149; rev:2;) # MFP_ANOMALY_DETECTED_TRAP # MFP configuration of the WLAN was violated by the radio interface "{0}" and detected by the radio interface "{1}" of the access point with MAC address "{2}." The violation is "{3}." # This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the access point cLApSysMacAddress. This violation is indicated by cLMfpEventType. When observing the management frame(s) given by cLMfpEventFrames for the last cLMfpEventPeriod time units, the controller reports the occurrence of a total of cLMfpEventTotal violation events of type cLMfpEventType. When the cLMfpEventTotal is 0, no further anomalies have recently been detected, and the NMS should clear any alarm raised about the MFP errors. Note This notification is generated by the controller only if MFP was configured as the protection mechanism through cLMfpProtectType. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MFP anomaly detected"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002150; sid:5002150; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MFP anomaly detected"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002150; sid:5002150; rev:2;) # MESH_AUTHORIZATIONFAILURE # MESH "{0}" fails to authenticate with controller because "{1}". # A mesh access point failed to join the mesh network because its MAC address is not listed in the MAC filter list. The alarm includes the MAC address of the mesh access point that failed to join. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authentication failure"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002151; sid:5002151; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authentication failure"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002151; sid:5002151; rev:2;) # GUEST_USER_ADDED # Guest user "{0}" created on the controller "{1}." # This notification is sent by the agent when the GuestUser account is created successfully. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user created on controller"; program: snmptrapd; content: "=GUEST_USER_ADDED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002152; sid:5002152; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user created on controller"; program: snmptrapd; content: "=GUEST_USER_ADDED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002152; sid:5002152; rev:2;) # GUEST_USER_AUTHENTICATED # Guest user "{1}" logged into controller "{0}." # This notification is sent by the agent when the GuestUser logged into the network through webauth successfully. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user authenticated"; program: snmptrapd; content: "=GUEST_USER_AUTHENTICATED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002153; sid:5002153; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user authenticated"; program: snmptrapd; content: "=GUEST_USER_AUTHENTICATED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002153; sid:5002153; rev:2;) # GUEST_USER_LOGOFF # Guest user "{1}" logged out from the controller "{0}." # This notification is sent by the agent when a GuestUser who was previously logged into the network logs out. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user logoff"; program: snmptrapd; content: "=GUEST_USER_LOGOFF|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002154; sid:5002154; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user logoff"; program: snmptrapd; content: "=GUEST_USER_LOGOFF|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002154; sid:5002154; rev:2;) # SI_SECURITY_TRAPS # Raised when Interferer marked as a security threat is detected by the network. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SI Security trap raised!"; program: snmptrapd; content: "=SI_SECURITY_TRAPS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002155; sid:5002155; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SI Security trap raised!"; program: snmptrapd; content: "=SI_SECURITY_TRAPS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002155; sid:5002155; rev:2;) # FAN_MONITOR # Cooling fan failure [ applies to MSE-3355 only]. One of the CPU cooling fans on $HOST [$IP] has failed. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Cooling fan failure [MSE-3355]"; program: snmptrapd; content: "=FAN_MONITOR|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002156; sid:5002156; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Cooling fan failure [MSE-3355]"; program: snmptrapd; content: "=FAN_MONITOR|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002156; sid:5002156; rev:2;) # FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected on network"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002157; sid:5002157; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected on network"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002157; sid:5002157; rev:2;) # FRIENDLY_ROGUE_AP_DETECTED # A rogue access point was detected by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002158; sid:5002158; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002158; sid:5002158; rev:2;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002159; sid:5002159; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002159; sid:5002159; rev:2;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002160; sid:5002160; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002160; sid:5002160; rev:2;) # UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002161; sid:5002161; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002161; sid:5002161; rev:2;) # UNCLASSIFIED_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002162; sid:5002162; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002162; sid:5002162; rev:2;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002163; sid:5002163; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002163; sid:5002163; rev:2;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002164; sid:5002164; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002164; sid:5002164; rev:2;) # MALICIOUS_ROGUE_AP_DETECTED_CONTAINED # Malicious Rogue AP detected as contained. # A rogue access point was detected on network by the system with classification "Malicious" in contained state. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002165; sid:5002165; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002165; sid:5002165; rev:2;) # MALICIOUS_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002166; sid:5002166; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002166; sid:5002166; rev:2;) # ROGUE_ADHOC_DETECTED_ON_NETWORK # Adhoc Rogue detected on network. # Rogue AP ''{0}'' is on wired network. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002167; sid:5002167; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002167; sid:5002167; rev:2;) # ROGUE_ADHOC_DETECTED_CONTAINED # Adhoc Rogue detected contained. # Rogue AP contained. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network contained"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002168; sid:5002168; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network contained"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002168; sid:5002168; rev:2;) # ROGUE_AP_STATE_CHANGE # Rogue detected. # Rogue AP marked as {0} AP. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP state change"; program: snmptrapd; content: "=ROGUE_AP_STATE_CHANGE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002170; sid:5002170; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP state change"; program: snmptrapd; content: "=ROGUE_AP_STATE_CHANGE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002170; sid:5002170; rev:2;) # ROGUE_DETECTED # Rogue detected. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected"; program: snmptrapd; content: "=ROGUE_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002171; sid:5002171; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected"; program: snmptrapd; content: "=ROGUE_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002171; sid:5002171; rev:2;) # ROGUE_DETECTED_CONTAINED # Rogue detected contained. # Adhoc Rogue contained. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected contained"; program: snmptrapd; content: "=ROGUE_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002172; sid:5002172; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected contained"; program: snmptrapd; content: "=ROGUE_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002172; sid:5002172; rev:2;) # ROGUE_DETECTED_ON_NETWORK # Rogue detected on network. # None -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected on network"; program: snmptrapd; content: "=ROGUE_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002173; sid:5002173; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected on network"; program: snmptrapd; content: "=ROGUE_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002173; sid:5002173; rev:2;) # ROGUE_AUTO_CONTAINED # Rogue auto contained. # Rogue AP ''{0}'' on Controller ''{1}'' was advertising our SSID and has been auto contained as per WPS policy. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue auto contained"; program: snmptrapd; content: "=ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002174; sid:5002174; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue auto contained"; program: snmptrapd; content: "=ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002174; sid:5002174; rev:2;) # USER_AUTHENTICATION_FAILURE # User Authentication Failure. # ''%s'' ''%s'' failed authentication on Controller ''%s''. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] User authentication failure"; program: snmptrapd; content: "=USER_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002175; sid:5002175; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] User authentication failure"; program: snmptrapd; content: "=USER_AUTHENTICATION_FAILURE|28|"; flowbits: set,recon,86400; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002175; sid:5002175; rev:3;) # WIPS_TRAPS # Dynamically generated per alarm. # See the wIPS alarm encyclopedia under NCS > Configuration > wIPS Profiles. # READ ME: This could be split out more. Cisco documentation has the "alarm names", but lacks SNMP Trap examples. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIPS Event!"; program: snmptrapd; content: "=WIPS_TRAPS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002176; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIPS Event!"; program: snmptrapd; content: "=WIPS_TRAPS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002176; rev:2;) diff -Nru sagan-rules-10222015/cisco-sdee.rules sagan-rules-20160923/cisco-sdee.rules --- sagan-rules-10222015/cisco-sdee.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-sdee.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-sdee.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -32,6 +32,11 @@ # Contact Champ Clark III for more information (cclark@quadrantsec.com) # # Since these are not "standard" rules, we start the ID's at "6100000". +# +# See: https://supportforums.cisco.com/discussion/10008061/problems-ips-alert-reporting +# http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html +# http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.pdf + alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPS/IDS License Expiration"; content: "Health Warning"; content: "licenseExpiration"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/6100000; sid: 6100000; rev:1;) @@ -675,7 +680,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail prescan Memory Corruption"; content: "SID: 3124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103124; sid: 6103124; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix 1.1.12 envelope address DoS"; content: "SID: 3125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103125; sid: 6103125; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix bounce scan"; content: "SID: 3126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103126; sid: 6103126; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP AUTH Brute Force Attempt"; content: "SID: 3127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103127; sid: 6103127; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP AUTH Brute Force Attempt"; content: "SID: 3127 ,"; flowbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103127; sid: 6103127; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange xexch50 overflow"; content: "SID: 3128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103128; sid: 6103128; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus C Variant File Attachment"; content: "SID: 3129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103129; sid: 6103129; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus I Variant File Attachment"; content: "SID: 3130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103130; sid: 6103130; rev: 3;) @@ -896,8 +901,8 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI+ JPEG Buffer Overflow"; content: "SID: 3716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103716; sid: 6103716; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows .ANI File DoS"; content: "SID: 3718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103718; sid: 6103718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger PNG Overflow"; content: "SID: 3719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103719; sid: 6103719; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL sa Account Brute Force"; content: "SID: 3720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103720; sid: 6103720; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Brute Force"; content: "SID: 3721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103721; sid: 6103721; rev: 3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL sa Account Brute Force"; content: "SID: 3720 ,"; flowbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103720; sid: 6103720; rev: 4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Brute Force"; content: "SID: 3721 ,"; flowbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103721; sid: 6103721; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop username"; content: "SID: 3728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103728; sid: 6103728; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop password"; content: "SID: 3729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103729; sid: 6103729; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo (TCP)"; content: "SID: 3730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103730; sid: 6103730; rev: 3;) @@ -949,7 +954,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic File Transfer Signatures"; content: "SID: 4322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104322; sid: 6104322; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Cisco IOS Embedded SNMP Community Names"; content: "SID: 4500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104500; sid: 6104500; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVCO/4K Remote Username / Password Retrieve"; content: "SID: 4501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104501; sid: 6104501; rev: 3;) -alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community Name Brute Force Attempt"; content: "SID: 4502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104502; sid: 6104502; rev: 4;) +alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community Name Brute Force Attempt"; content: "SID: 4502 ,"; flowbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104502; sid: 6104502; rev: 5;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Windows NT SNMP System Info Retrieve"; content: "SID: 4503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104503; sid: 6104503; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP IOS Configuration Retrieval"; content: "SID: 4504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104504; sid: 6104504; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP IOS VACM MIB Access"; content: "SID: 4505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104505; sid: 6104505; rev: 4;) @@ -1485,7 +1490,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory Server iMonitor Buffer Overflow"; content: "SID: 5573 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105573; sid: 6105573; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenView Network Node Manager Command Injection"; content: "SID: 5574 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105574; sid: 6105574; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Service Failed Login"; content: "SID: 5575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105575; sid: 6105575; rev: 3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3]"; content: "SID: 5575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 3, seconds 300; fwsam: src, 1 day; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107002; sid: 6107002; rev: 2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3]"; content: "SID: 5575 ,"; flowbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 3, seconds 300; fwsam: src, 1 day; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107002; sid: 6107002; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Login successful with Guest Privileges"; content: "SID: 5576 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105576; sid: 6105576; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NULL login attempt"; content: "SID: 5577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105577; sid: 6105577; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB 95 98 Password File Access"; content: "SID: 5578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105578; sid: 6105578; rev: 3;) diff -Nru sagan-rules-10222015/cisco-wlc.rules sagan-rules-20160923/cisco-wlc.rules --- sagan-rules-10222015/cisco-wlc.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cisco-wlc.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cisco-wlc.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/citrix-blacklist.rules sagan-rules-20160923/citrix-blacklist.rules --- sagan-rules-10222015/citrix-blacklist.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-blacklist.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix-blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -30,8 +30,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] Login from outside blacklisted IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002261; sid: 5002261; rev:1;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002281; sid:5002281; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002281; sid:5002281; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002285; sid:5002285; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002285; sid:5002285; rev:2;) diff -Nru sagan-rules-10222015/citrix-bluedot.rules sagan-rules-20160923/citrix-bluedot.rules --- sagan-rules-10222015/citrix-bluedot.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix-bluedot.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,9 +28,9 @@ # Login from Bluedot listed IP (Champ Clark / 08/26/2015) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] Login from Bluedot listed IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002341; sid:5002341; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] Login from Bluedot listed IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002341; sid:5002341; rev:3;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:3;) diff -Nru sagan-rules-10222015/citrix-brointel.rules sagan-rules-20160923/citrix-brointel.rules --- sagan-rules-10222015/citrix-brointel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-brointel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix-brointel.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -30,8 +30,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] Login from outside Bro Intel listed IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002262; sid: 5002262; rev:1;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002282; sid:5002282; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002282; sid:5002282; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002286; sid:5002286; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002286; sid:5002286; rev:2;) diff -Nru sagan-rules-10222015/citrix-correlated.rules sagan-rules-20160923/citrix-correlated.rules --- sagan-rules-10222015/citrix-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,5 +29,5 @@ # Login/login attempt after recon/honeypot (Champ Clark / 09/18/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] Login after suspicious activity"; content: "SSLVPN LOGIN"; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002357; sid:5002357; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; classtype: correlated-attack; parse_src_ip: 1; normalize: citrix; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after suspicious activity"; content: "SSLVPN HTTPREQUEST"; classtype: correlated-attack; parse_src_ip: 1; normalize: citrix; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002359; sid:5002359; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; classtype: correlated-attack; parse_src_ip: 1; normalize; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after suspicious activity"; content: "SSLVPN HTTPREQUEST"; classtype: correlated-attack; parse_src_ip: 1; normalize; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002359; sid:5002359; rev:4;) diff -Nru sagan-rules-10222015/citrix-geoip.rules sagan-rules-20160923/citrix-geoip.rules --- sagan-rules-10222015/citrix-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -30,7 +30,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] Login from outside HOME_COUNTRY"; content: "SSLVPN LOGIN"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002260; sid:5002260; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY"; content: "SSLVPN HTTPREQUEST"; classtype: successful-user; parse_src_ip: 1; normalize: citrix; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY"; content: "SSLVPN HTTPREQUEST"; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:3;) diff -Nru sagan-rules-10222015/citrix-normalize.rulesbase sagan-rules-20160923/citrix-normalize.rulesbase --- sagan-rules-10222015/citrix-normalize.rulesbase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix-normalize.rulesbase 1970-01-01 00:00:00.000000000 +0000 @@ -1,40 +0,0 @@ -# Sagan citrix-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -# 16:04:31 GMT server1 PPE-1 : AAA LOGIN_FAILED 71011157 : User bob - Client_ip 12.12.12.12 - Failure_reason "External authentication server denied access" - -rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% : User %username:word% - Client_ip %src-ip:ipv4% - Failure_reason %-:rest% - -# 16:23:29 GMT server1 PPE-0 : SSLVPN LOGIN 75181906 : Context bob@12.12.12.12 - SessionId: 11147- User bob - Client_ip 12.12.12.12 - Nat_ip "Mapped Ip" - Vserver 192.168.1.1:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" - SSLVPN_client_type Clientless - Group(s) "N/A" - -rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% -rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% - diff -Nru sagan-rules-10222015/citrix.rules sagan-rules-20160923/citrix.rules --- sagan-rules-10222015/citrix.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/citrix.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan citrix.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -213,7 +213,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; flowbits: set,brute_force,21600; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:1;) @@ -226,7 +226,7 @@ #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:1;) diff -Nru sagan-rules-10222015/courier-bluedot.rules sagan-rules-20160923/courier-bluedot.rules --- sagan-rules-10222015/courier-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/courier-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,32 @@ +# Sagan courier-geoip.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Authentication failure from suspicius source"; content: "LOGIN FAILED,"; parse_src_ip: 1; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002885; sid:5002885; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Logout/disconnect from suspicious source"; pcre: "/LOGOUT|DISCONNECTED/"; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002886; sid:5002886; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] User login from suspicious source"; content: "LOGIN,"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002887; sid:5002887; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Timeout from suspicious source"; content: "TIMEOUT"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002888; sid:5002888; rev:2;) + diff -Nru sagan-rules-10222015/courier-correlated.rules sagan-rules-20160923/courier-correlated.rules --- sagan-rules-10222015/courier-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/courier-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan courier-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/courier-geoip.rules sagan-rules-20160923/courier-geoip.rules --- sagan-rules-10222015/courier-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/courier-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan courier-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/courier.rules sagan-rules-20160923/courier.rules --- sagan-rules-10222015/courier.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/courier.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan courier.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -44,5 +44,5 @@ #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Timeout"; content: "TIMEOUT"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002393; sid:5002393; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure - Brute Force [5/5]"; content: "LOGIN FAILED,"; parse_src_ip: 1; flowbits: set,brute_force,86400;; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002398; sid:5002398; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure - Brute Force [5/5]"; content: "LOGIN FAILED,"; parse_src_ip: 1; flowbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002398; sid:5002398; rev:2;) diff -Nru sagan-rules-10222015/cylance.rules sagan-rules-20160923/cylance.rules --- sagan-rules-10222015/cylance.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/cylance.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan cylance.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/debian/changelog sagan-rules-20160923/debian/changelog --- sagan-rules-10222015/debian/changelog 2015-12-30 12:19:02.000000000 +0000 +++ sagan-rules-20160923/debian/changelog 2016-10-11 17:16:37.000000000 +0000 @@ -1,3 +1,28 @@ +sagan-rules (1:20160923-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release. + - Using 'epoch' and new date format as version number. + * debian/control: + - debhelper 10. + - Bump Standards-Version from 3.9.6 to 3.9.8. + - Homepage entry updated. + * debian/compat: + - 10 + * debian/copyright: + - updated. + - format 1.0. + * debian/rules: + - *.rulesbase entry removed. + * debian/README.source: + - created to inform about the format of the version number. + * debian/watch: + - version 4. + - using uversionmangle. + - update url. + + -- Herbert Parentes Fortes Neto Tue, 11 Oct 2016 14:16:37 -0300 + sagan-rules (10222015-0.1) unstable; urgency=low * Non-maintainer upload. diff -Nru sagan-rules-10222015/debian/compat sagan-rules-20160923/debian/compat --- sagan-rules-10222015/debian/compat 2011-02-15 10:45:23.000000000 +0000 +++ sagan-rules-20160923/debian/compat 2016-10-11 17:16:37.000000000 +0000 @@ -1 +1 @@ -7 +10 diff -Nru sagan-rules-10222015/debian/control sagan-rules-20160923/debian/control --- sagan-rules-10222015/debian/control 2015-12-30 12:18:13.000000000 +0000 +++ sagan-rules-20160923/debian/control 2016-10-11 17:16:37.000000000 +0000 @@ -2,9 +2,9 @@ Section: admin Priority: extra Maintainer: Pierre Chifflier -Build-Depends: debhelper (>= 7.0.50~) -Standards-Version: 3.9.6 -Homepage: http://sagan.softwink.com/ +Build-Depends: debhelper (>= 10) +Standards-Version: 3.9.8 +Homepage: https://quadrantsec.com/sagan_log_analysis_engine/ #Vcs-Git: git://git.debian.org/collab-maint/sagan-rules.git #Vcs-Browser: http://git.debian.org/?p=collab-maint/sagan-rules.git;a=summary diff -Nru sagan-rules-10222015/debian/copyright sagan-rules-20160923/debian/copyright --- sagan-rules-10222015/debian/copyright 2015-12-22 18:59:54.000000000 +0000 +++ sagan-rules-20160923/debian/copyright 2016-10-11 17:16:37.000000000 +0000 @@ -1,39 +1,20 @@ -Format: http://dep.debian.net/deps/dep5 +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: sagan-rules -Source: http://sagan.softwink.com/ +Source: https://quadrantsec.com/rules/ Files: * -Copyright: 2009-2010, Softwink, Inc. -License: BSD (3 clause) - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of the nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - . - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +Copyright: 2009-2016, Quadrant Information Security +License: BSD-3-clause Files: debian/* -Copyright: 2011 Pierre Chifflier -License: BSD (3 clause) +Copyright: 2011 Pierre Chifflier + 2015-2016 Herbert Parentes Fortes Neto +License: BSD-3-clause + +License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - + . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, diff -Nru sagan-rules-10222015/debian/docs sagan-rules-20160923/debian/docs --- sagan-rules-10222015/debian/docs 2015-12-22 18:59:54.000000000 +0000 +++ sagan-rules-20160923/debian/docs 2016-10-11 17:16:37.000000000 +0000 @@ -1 +1 @@ - +debian/README.source diff -Nru sagan-rules-10222015/debian/README.source sagan-rules-20160923/debian/README.source --- sagan-rules-10222015/debian/README.source 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/debian/README.source 2016-10-11 17:16:37.000000000 +0000 @@ -0,0 +1,11 @@ +sagan-rules (1:20160923-0.1) unstable; urgency=medium + + - Using 'epoch' and new date format as version number. So, + the tarball version number is 09232016. To be recognized + as newer version than 10222015 by 'dpkg' the format was + changed to 20160923. From MMDDYYYY to YYYYMMDD. + + A 'epoch' was also included. + + -- Herbert Parentes Fortes Neto Tue, 11 Oct 2016 14:16:37 -0300 + diff -Nru sagan-rules-10222015/debian/rules sagan-rules-20160923/debian/rules --- sagan-rules-10222015/debian/rules 2015-12-23 17:44:46.000000000 +0000 +++ sagan-rules-20160923/debian/rules 2016-10-11 17:16:37.000000000 +0000 @@ -14,7 +14,7 @@ override_dh_auto_install: dh_installdirs - install -m 0644 *.map *.rulebase *.rulesbase *.conf *.rules *.config debian/sagan-rules/etc/sagan-rules/ + install -m 0644 *.map *.rulebase *.conf *.rules *.config debian/sagan-rules/etc/sagan-rules/ %: dh $@ diff -Nru sagan-rules-10222015/debian/watch sagan-rules-20160923/debian/watch --- sagan-rules-10222015/debian/watch 2015-12-21 18:40:17.000000000 +0000 +++ sagan-rules-20160923/debian/watch 2016-10-11 17:16:37.000000000 +0000 @@ -1,9 +1,4 @@ -# watch control file for uscan -# Run the "uscan" command to check for upstream updates and more. -# See uscan(1) for format - -# Compulsory line, this is a version 3 file -version=3 - -http://sagan.softwink.com/rules/ sagan-rules-(\d\S+)\.tar\.gz +version=4 +opts="uversionmangle=s%(\d\d)(\d\d)(\d\d\d\d)\.tar\.gz$%$3$1$2\.tar.\gz%" \ +https://quadrantsec.com/rules/ sagan-rules-(\d\S+)\.tar\.gz diff -Nru sagan-rules-10222015/deleted.rules sagan-rules-20160923/deleted.rules --- sagan-rules-10222015/deleted.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/deleted.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan deleted.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -50,5 +50,5 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Accepted publickey"; content: "Accepted publickey" ; classtype: successful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000406; sid:5000406; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Session closed"; content: "session closed for" ; classtype: not-suspicious; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000407; sid:5000407; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; classtype: not-suspicious; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000408; sid:5000408; rev:4;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; classtype: successful-user; normalize: openssh; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000075; sid: 5000075; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; classtype: successful-user; normalize; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000075; sid: 5000075; rev:4;) diff -Nru sagan-rules-10222015/digitalpersona.rules sagan-rules-20160923/digitalpersona.rules --- sagan-rules-10222015/digitalpersona.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/digitalpersona.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan digitalpersona.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/dns-normalize.rulebase sagan-rules-20160923/dns-normalize.rulebase --- sagan-rules-10222015/dns-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/dns-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -# Sagan dns-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - - -rule=: client %src-ip:ipv4%#%src-port:number%: update '%-:char-to:\x27%' denied -rule=: client %src-ip:ipv4%#%src-port:number%: query (cache) '%-:char-to:\x27%' denied -rule=: unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% -rule=: error (unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% - diff -Nru sagan-rules-10222015/dovecot.rules sagan-rules-20160923/dovecot.rules --- sagan-rules-10222015/dovecot.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/dovecot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan dovecot.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/f5-big-ip-bluedot.rules sagan-rules-20160923/f5-big-ip-bluedot.rules --- sagan-rules-10222015/f5-big-ip-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/f5-big-ip-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,40 @@ +# Sagan F5-BIG-IP-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +# F5 Big-IP + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Command-line Login from suspicious source"; content: "start="; content: !"end="; content: "sshd"; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002889; sid:5002889; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Command-line Logout from suspicious source"; content: "start="; content: "end="; content: "sshd"; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002890; sid:5002890; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source"; content: "failed to login after"; content: "sshd"; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002891; sid:5002891; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source"; content: "Authentication failure for root"; content: "sshd"; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002892; sid:5002892; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Successful Configuration Utility Login from suspicious source"; content: "mod_auth_pam"; content: "httpd"; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002893; sid:5002893; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Configuration Utility Login from suspicious source"; content: "failed to login after"; content: "httpd"; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002894; sid:5002894; rev:2;) diff -Nru sagan-rules-10222015/f5-big-ip-geoip.rules sagan-rules-20160923/f5-big-ip-geoip.rules --- sagan-rules-10222015/f5-big-ip-geoip.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/f5-big-ip-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,40 @@ +# Sagan F5-BIG-IP-GEOIP.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +# F5 Big-IP GEOIP rules submitted by Corey Fisher + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Command-line Login from outside HOME_COUNTRY"; content: "start="; content: !"end="; content: "sshd"; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002776; sid:5002776; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Command-line Logout from outside HOME_COUNTRY"; content: "start="; content: "end="; content: "sshd"; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002777; sid:5002777; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY"; content: "failed to login after"; content: "sshd"; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002778; sid:5002778; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY"; content: "Authentication failure for root"; content: "sshd"; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002779; sid:5002779; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Successful Configuration Utility Login from outside HOME_COUNTRY"; content: "mod_auth_pam"; content: "httpd"; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002780; sid:5002780; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Configuration Utility Login from outside HOME_COUNTRY"; content: "failed to login after"; content: "httpd"; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002781; sid:5002781; rev:2;) diff -Nru sagan-rules-10222015/f5-big-ip.rules sagan-rules-20160923/f5-big-ip.rules --- sagan-rules-10222015/f5-big-ip.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/f5-big-ip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,29 @@ +# Sagan f5-big-ip.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[F5-BIG-IP] Brute force Attempt [5/1]"; content: "failed to login after"; content: "sshd"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002946; sid:5002946; rev:1;) + diff -Nru sagan-rules-10222015/fatpipe-aetas.rules sagan-rules-20160923/fatpipe-aetas.rules --- sagan-rules-10222015/fatpipe-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fatpipe-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fatpipe-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fatpipe-bluedot.rules sagan-rules-20160923/fatpipe-bluedot.rules --- sagan-rules-10222015/fatpipe-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/fatpipe-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,33 @@ +# Sagan fatpipe-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + + +# 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-BLUEDOT] Login Success from suspicious source"; content: "Login|3a| Success"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002895; sid:5002895; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-BLUEDOT] Login Success - ADMINISTRATOR - from suspicious source"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002896; sid:5002896; rev:2;) + diff -Nru sagan-rules-10222015/fatpipe-correlated.rules sagan-rules-20160923/fatpipe-correlated.rules --- sagan-rules-10222015/fatpipe-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fatpipe-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fatpipe-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fatpipe-geoip.rules sagan-rules-20160923/fatpipe-geoip.rules --- sagan-rules-10222015/fatpipe-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fatpipe-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fatpipe-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fatpipe.rules sagan-rules-20160923/fatpipe.rules --- sagan-rules-10222015/fatpipe.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fatpipe.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fatpipe.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -34,6 +34,6 @@ # 10.10.10.5|authpriv|info|info|56|2014-02-12|19:01:06|xtremed| UI Login: Attempt Failed, User Name: bob, Remote IP: 10.10.0.1 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Failed"; content: "Login|3a| Attempt Failed"; classtype: unsuccessful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001957; sid: 5001957; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Failed - Brute Force [5/5]"; content: "Login|3a| Attempt Failed"; classtype: unsuccessful-admin; program: xtremed; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001958; sid: 5001958; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Failed - Brute Force [5/5]"; content: "Login|3a| Attempt Failed"; classtype: unsuccessful-admin; flowbits: set,brute_force,21600; program: xtremed; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001958; sid: 5001958; rev:3;) diff -Nru sagan-rules-10222015/fipaypin.rules sagan-rules-20160923/fipaypin.rules --- sagan-rules-10222015/fipaypin.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/fipaypin.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,65 @@ +# Sagan fipaypin.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# +# Rules to be used with PoS (Point of Sales) FiPay PIN (Flexable Integrated Payment System) credit card +# processing devices. For information about AJB Software's web site: +# +# http://www.ajbsoftware.com/ +# http://support.ajbsoftware.com/index.aspx?menuId=10305 + +# 10.11.11.11|daemon|warning|warning|1c|2015-11-28|16:31:49|xxx_RTS_FIPEMV2| 8: 2015/11/28 16:31:49.423 C-400008 FIPAYPIN FIPEMV2 : Call Remote: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.11.11.11:26008 +# 10.11.11.11|daemon|warning|warning|1c|2015-12-07|02:06:24|xxx_RTS_FIPAYPIN| 8: 2015/12/07 02:06:24.537 C-400008 FIPAYPIN FIPAYPIN : Unable to connect Fipay Node 'whatever' + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Connection failed to Fipay [5/2]"; content: "C-400008"; classtype: misc-activity; program: *FIPAYPIN*; parse_src_ip: 1; parse_port; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002764; sid:5002764; rev:1;) + +# 10.11.11.11|daemon|warning|warning|1c|2015-11-07|16:55:15|xxx_RTS_FIPEMV1| 2046: 2015/11/07 16:55:15.154 S-302046 FIPAYPIN FIPEMV1 : Slow send (from 16:55:14.622 --> 531ms).Thread ID:9 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Slow send!"; content: "S-302046"; classtype: misc-activity; program: *FIPEMV*; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002765; sid:5002765; rev:1;) + +# See sagan.conf for $CREDIT_CARD_PREFIXES. +# 10.11.11.11|daemon|warning|warning|1c|2015-11-03|10:27:43|xxx_RTS_FIPAYPIN| 0: 2015/11/03 10:27:43.379 S-300000 FIPAYPIN FIPAYPIN : Swpe: Response Success track2=666666******6666 svc=6666 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Invalid credit card detected"; content: "S-300000"; content: "Swpe: Response"; meta_content:!"track2=%sagan%", $CREDIT_CARD_PREFIXES; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002766; sid:5002766; rev:3;) + +# 10.11.11.11|daemon|warning|warning|1c|2015-11-27|10:46:42|xxx_RTS_FIPAYPIN| 0: 2015/11/27 10:46:41.999 S-300000 FIPAYPIN FIPAYPIN : Bad/No Pin Block and KSN returned - Check to ensure your pinpad had DUKPT keys loaded. + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Bad/No Pin Block and KSN returned"; content: "S-300000"; content: "Bad/No Pin Block and KSN returned"; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002767; sid:5002767; rev:1;) + +# 10.11.11.11|daemon|warning|warning|1c|2015-11-15|15:38:02|xxx_RTS_FIPAYPIN| 0: 2015/11/15 15:38:02.220 S-300000 FIPAYPIN FIPAYPIN : Blocked the response to POS. + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Blocked the response to POS"; content: "S-300000"; content: "Blocked the response to POS"; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002768; sid:5002768; rev:1;) + +# 10.30.1.131|daemon|warning|warning|1c|2015-11-19|11:33:13|xxx_RTS_FIPAYPIN| 0: 2015/11/19 11:33:13.015 S-300000 FIPAYPIN FIPAYPIN : Failed to open pinpad COM9. + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Failed to open pinpad [0/2]"; content: "S-300000"; content: "Failed to open pinpad"; classtype: misc-activity; program: *FIPAYPIN*; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002769; sid:5002769; rev:1;) + +# 10.11.11.11|daemon|warning|warning|1c|2015-11-04|13:57:27|xxx_RTS_FIPAYPIN| 0: 2015/11/04 13:57:27.037 S-300000 FIPAYPIN FIPAYPIN : Replace macro [RTS1_IP] with value '10.11.11.11' + +# See sagan.conf for RFC1918 var. + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Replace macro from outside RFC1918"; content: "S-300000"; content: "RTS1_IP"; meta_content:!"value ''%sagan%", $RFC1918; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002770; sid:5002770; rev:1;) + diff -Nru sagan-rules-10222015/fortinet-aetas.rules sagan-rules-20160923/fortinet-aetas.rules --- sagan-rules-10222015/fortinet-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fortinet-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fortinet-bluedot.rules sagan-rules-20160923/fortinet-bluedot.rules --- sagan-rules-10222015/fortinet-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/fortinet-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,32 @@ +# Sagan fortinet-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Login accepted from suspicious source"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002881; sid:5002881; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Administrator Login from suspicious source"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002882; sid:5002882; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Admin authentication success suspicious source"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002883; sid:5002883; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] SSH traffic detected from suspicious source"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002884; sid:5002884; rev:2;) + diff -Nru sagan-rules-10222015/fortinet-correlated.rules sagan-rules-20160923/fortinet-correlated.rules --- sagan-rules-10222015/fortinet-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fortinet-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fortinet-geoip.rules sagan-rules-20160923/fortinet-geoip.rules --- sagan-rules-10222015/fortinet-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fortinet-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fortinet-malware.rules sagan-rules-20160923/fortinet-malware.rules --- sagan-rules-10222015/fortinet-malware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet-malware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fortinet-malware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/fortinet-normalize.rulebase sagan-rules-20160923/fortinet-normalize.rulebase --- sagan-rules-10222015/fortinet-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -# Sagan fortinet-rulebase.rulebase -# Copyright (c) 2009-2014, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -rule=: time=%-:word% devname=%-:word% devid=%-:word% logid=%-:word% type=%-:word% subtype=%-:word% level=%-:word% vd=%-:word% srcip=%src-ip:ipv4% srcport=%src-port:number% srcintf=%-:word% dstip=%dst-ip:ipv4% dstport=%dst-port:number% dstintf=%-:word% %-:rest% - diff -Nru sagan-rules-10222015/fortinet.rules sagan-rules-20160923/fortinet.rules --- sagan-rules-10222015/fortinet.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/fortinet.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan fortinet.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -35,7 +35,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] To many bad admin login attempts"; content: "32002 type="; content: "bad attempts"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000904; sid: 5000904; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator logout"; content: "32003 type="; content: "action=logout"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000905; sid: 5000905; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] IPS error mode"; content: "32004 type="; content: "error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000906; sid: 5000906; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed [Brute Force] [5/5]"; content: "32005 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000907; sid: 5000907; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed [Brute Force] [5/5]"; content: "32005 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; flowbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000907; sid: 5000907; rev:6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login accepted"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000908; sid: 5000908; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk full or almost full"; content: "32006 type="; content: "disk"; nocase; content: "log "; nocase; pcre: "/exceeds|full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000909; sid: 5000909; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has started"; content: "32006 type="; content: "Fortigate started"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000910; sid: 5000910; rev:1;) diff -Nru sagan-rules-10222015/ftpd.rules sagan-rules-20160923/ftpd.rules --- sagan-rules-10222015/ftpd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ftpd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ftpd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,18 +25,24 @@ # #************************************************************* -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] FTP Login refused"; content: "FTP LOGIN REFUSED"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000182; sid:5000182; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File created"; content: " created "; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000183; sid:5000183; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File deleted"; content: " deleted "; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000184; sid:5000184; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User uploaded a file to server"; content: "IMPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000185; sid:5000185; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User downloaded a file to server"; content: "EXPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000186; sid:5000186; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Remote host connected to FTP server"; pcre: "/FTP LOGIN FROM|connection from|connect from/"; classtype: successful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000187; sid:5000187; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Connection blocked by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000188; sid:5000188; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Reverse lookup failure"; pcre: "/can't verify hostname|gethostbyaddr/"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000189; sid:5000189; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Multiple failed login attempts"; content: "repeated login failures"; classtype: misc-attack; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000190; sid:5000190; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User disconnected due to time out"; content: "timed out after"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000191; sid:5000191; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Attempted access to a disabled account"; content: "Account is disabled"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000192; sid:5000192; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication"; content: "failed authentication from"; nocase; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001522; sid:5001522; rev:2;) -drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication - Brute force [5/5]"; content: "failed authentication from"; nocase; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: ftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000193; sid:5000193; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[FTPD] User logged into an disabled account"; content: "FTP LOGIN FROM"; pcre: "/ apachei | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000412; program: sshd; sid: 5000412; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] FTP Login refused"; content: "FTP LOGIN REFUSED"; classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000182; sid:5000182; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File created"; content: " created "; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000183; sid:5000183; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File deleted"; content: " deleted "; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000184; sid:5000184; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User uploaded a file to server"; content: "IMPORT file"; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000185; sid:5000185; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User downloaded a file to server"; content: "EXPORT file"; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000186; sid:5000186; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Remote host connected to FTP server"; pcre: "/FTP LOGIN FROM|connection from|connect from/"; classtype: successful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000187; sid:5000187; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Connection blocked by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000188; sid:5000188; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Reverse lookup failure"; pcre: "/can't verify hostname|gethostbyaddr/"; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000189; sid:5000189; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Multiple failed login attempts"; content: "repeated login failures"; flowbits: set,brute_force,21600; classtype: misc-attack; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000190; sid:5000190; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User disconnected due to time out"; content: "timed out after"; classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000191; sid:5000191; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Attempted access to a disabled account"; content: "Account is disabled"; classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000192; sid:5000192; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication"; content: "failed authentication from"; nocase; classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5001522; sid:5001522; rev:4;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication - Brute force [5/5]"; content: "failed authentication from"; nocase; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000193; sid:5000193; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[FTPD] User logged into an disabled account"; content: "FTP LOGIN FROM"; pcre: "/ apachei | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; classtype: successful-user; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000412; program: ftpd|ftp|FTP|FTPD; sid: 5000412; rev:6;) + +# Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; parse_src_ip: 2; parse_dst_ip: 1; parse_port; program: ftp|ftpd|FTP|FTPD; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002950; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; sid:5002950; rev: 2;) + + diff -Nru sagan-rules-10222015/grsec.rules sagan-rules-20160923/grsec.rules --- sagan-rules-10222015/grsec.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/grsec.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan grsec.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,6 +29,6 @@ # see these alerts. For more information, see: http://www.grsecurity.net/ -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Time set"; content:"time set by";classtype: not-suspicious; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000029; sid: 5000029; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_src_ip: 1; program: grsec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000030; sid: 5000030; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Denied resource overstep"; content:"denied resource overstep"; classtype: exploit-attempt; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000042; sid: 5000042; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Time set"; content:"time set by";classtype: not-suspicious; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000029; sid: 5000029; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_src_ip: 1; program: grsec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000030; sid: 5000030; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Denied resource overstep"; content:"denied resource overstep"; classtype: exploit-attempt; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000042; sid: 5000042; rev:4;) diff -Nru sagan-rules-10222015/honeyd.rules sagan-rules-20160923/honeyd.rules --- sagan-rules-10222015/honeyd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/honeyd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan honeyd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/hordeimp.rules sagan-rules-20160923/hordeimp.rules --- sagan-rules-10222015/hordeimp.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/hordeimp.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan hordeimp.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/hostapd.rules sagan-rules-20160923/hostapd.rules --- sagan-rules-10222015/hostapd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/hostapd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan hostapd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/huawei.rules sagan-rules-20160923/huawei.rules --- sagan-rules-10222015/huawei.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/huawei.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan huawei.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -79,7 +79,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VentTemp2Hot"; content: "SRM/3/VentTemp2Hot"; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001582; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - add_success"; content: "SSH/4/add_success"; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001583; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL"; content: "SSH/4/LOGIN_FAIL "; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001584; rev:2;) -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5]"; content: "SSH/4/LOGIN_FAIL "; classtype: unsuccessful-user; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001592; rev:4;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5]"; content: "SSH/4/LOGIN_FAIL "; classtype: unsuccessful-user; flowbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001592; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR"; content: "SSH/4/LOGIN_FAIL_CHALLENGE_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001585; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR"; content: "SSH/4/LOGIN_FAIL_COOKIE_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001586; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT"; content: "SSH/4/LOGIN_FAIL_DISSCONNECT"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001587; rev:2;) diff -Nru sagan-rules-10222015/imapd-bluedot.rules sagan-rules-20160923/imapd-bluedot.rules --- sagan-rules-10222015/imapd-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/imapd-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,49 @@ +# Sagan imapd-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + + +# 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGIN, user=bob, ip=[192.168.8.1], port=[36938], protocol=IMAP + +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Login from a suspicious source"; program: imapd|imapd-ssl; content: "LOGIN,"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002075; sid:5002075; rev: 2;) + +# 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGOUT, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=96, sent=470, time=0, starttls=1 + +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Logout from a suspicious source"; program: imapd|imapd-ssl; content: "LOGOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002076; sid:5002076; rev: 2;) + +# 10.1.1.1|mail|info|info|16|2014-06-12|04:06:34|imapd-ssl| TIMEOUT, user=bob, ip=[192.168.8.1], headers=714, body=8944, rcvd=1050, sent=15577, time=2701, starttls=1 + +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Timeout from a suspicious source"; program: imapd|imapd-ssl; content: "TIMEOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002077; sid:5002077; rev: 2;) + +# 10.1.1.1|mail|info|info|16|2014-06-11|23:53:51|imapd-ssl| DISCONNECTED, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=357, sent=981, time=10511, starttls=1 + +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Disconnect from a suspicious source"; program: imapd|imapd-ssl; content: "DISCONNECTED,"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002078; sid:5002078; rev: 2;) + +# 10.7.1.71|mail|debug|debug|17|2014-06-11|23:53:52|imapd-ssl| Connection, ip=[192.168.8.1] + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Connection from a suspicious source"; program: imapd|imapd-ssl; content: "Connection,"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002079; sid:5002079; rev: 2;) + + diff -Nru sagan-rules-10222015/imapd-correlated.rules sagan-rules-20160923/imapd-correlated.rules --- sagan-rules-10222015/imapd-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/imapd-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan imapd-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/imapd-geoip.rules sagan-rules-20160923/imapd-geoip.rules --- sagan-rules-10222015/imapd-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/imapd-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ -# Sagan imapd-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Sagan imapd-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,22 +28,21 @@ # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGIN, user=bob, ip=[192.168.8.1], port=[36938], protocol=IMAP -alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Login from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "LOGIN,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002075; sid:5002075; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Login from suspicious source"; program: imapd|imapd-ssl; content: "LOGIN,"; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002897; sid:5002897; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGOUT, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=96, sent=470, time=0, starttls=1 -alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Logout from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "LOGOUT,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002076; sid:5002076; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Logout from suspicious source"; program: imapd|imapd-ssl; content: "LOGOUT,"; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002898; sid:5002898; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-12|04:06:34|imapd-ssl| TIMEOUT, user=bob, ip=[192.168.8.1], headers=714, body=8944, rcvd=1050, sent=15577, time=2701, starttls=1 -alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Timeout from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "TIMEOUT,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002077; sid:5002077; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Timeout from suspicious source"; program: imapd|imapd-ssl; content: "TIMEOUT,"; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002899; sid:5002899; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:53:51|imapd-ssl| DISCONNECTED, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=357, sent=981, time=10511, starttls=1 -alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Disconnect from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "DISCONNECTED,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002078; sid:5002078; rev: 1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Disconnect from suspicious source"; program: imapd|imapd-ssl; content: "DISCONNECTED,"; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002900; sid:5002900; rev: 1;) # 10.7.1.71|mail|debug|debug|17|2014-06-11|23:53:52|imapd-ssl| Connection, ip=[192.168.8.1] -# alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Connection from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "Connection,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002079; sid:5002079; rev: 1;) - +alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-BLUEDOT] Connection from suspicious source"; program: imapd|imapd-ssl; content: "Connection,"; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002901; sid:5002901; rev: 1;) diff -Nru sagan-rules-10222015/imapd.rules sagan-rules-20160923/imapd.rules --- sagan-rules-10222015/imapd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/imapd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan imapd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,6 +27,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] User login failed"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; classtype: unsuccessful-user; parse_src_ip: 1; program: imapd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000367; sid: 5000367; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Successful login"; content: "Authenticated user="; classtype: successful-user; program: imapd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000262; sid: 5000262; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] User logout"; content: "Logout user="; classtype: not-suspicious; program: imapd; normalize: imap; reference: url,wiki.quadrantsec.com/bin/view/Main/5000276; sid:5000276; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Exessive login failures"; content: "Login excessive login"; classtype: unsuccessful-user; program: imapd; normalize: imap; reference: url,wiki.quadrantsec.com/bin/view/Main/5001078; sid: 5001078; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] User logout"; content: "Logout user="; classtype: not-suspicious; program: imapd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000276; sid:5000276; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Exessive login failures"; content: "Login excessive login"; classtype: unsuccessful-user; program: imapd; normalize; parse_src_ip: 1; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001078; sid: 5001078; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Brute force attack [5/1]"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; classtype: unsuccessful-user; parse_src_ip: 1; flowbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; program: imapd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002947; sid:5002947; rev:1;) diff -Nru sagan-rules-10222015/imap-normalize.rulebase sagan-rules-20160923/imap-normalize.rulebase --- sagan-rules-10222015/imap-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/imap-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -# Sagan imap-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - - -prefix= -rule= Logout user=%username:word% host=%-:word% [%src-ip:ipv4%] - -rule=: Login excessive login failures user=%username:word% auth=%-:word% host=%-t:word% [%src-ip:ipv4]] -rule=: Login failed user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%] -rule=: authentication failure; logname= uid=%-:word% euid=%-:word% tty=%-:word% ruser=%-:word% rhost=%src-ip:ipv4% user=%username:word% diff -Nru sagan-rules-10222015/imperva-normalize.rulebase sagan-rules-20160923/imperva-normalize.rulebase --- sagan-rules-10222015/imperva-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/imperva-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -# Sagan imperva-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -rule=: act=Block dst=%dst-ip:ipv4% dpt=%src-port:number% duser=%username:word% src=%src-ip:ipv4% spt=%src-port:number% proto=%proto:word% %all:rest% - diff -Nru sagan-rules-10222015/ipop3d.rules sagan-rules-20160923/ipop3d.rules --- sagan-rules-10222015/ipop3d.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ipop3d.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ipop3d.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,5 +25,5 @@ # #************************************************************* -alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; classtype: misc-attack; program: ipop3d; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000032; sid: 5000032; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; classtype: misc-attack; program: ipop3d; threshold:type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000032; sid: 5000032; rev:4;) diff -Nru sagan-rules-10222015/juniper-aetas.rules sagan-rules-20160923/juniper-aetas.rules --- sagan-rules-10222015/juniper-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/juniper-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan juniper-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/juniper-bluedot.rules sagan-rules-20160923/juniper-bluedot.rules --- sagan-rules-10222015/juniper-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/juniper-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,35 @@ +# Sagan juniper-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-BLUEDOT] VPN Login from suspicious source"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002902; sid:5002902; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-BLUEDOT] VPN Logout from suspicious source"; program: Juniper; content: "Logout from"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002903; sid:5002903; rev: 2;) + +# Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $SSH_PORT (msg: "[ScreenOS-BLUEDOT] Juniper ScreenOS Admin Login from suspicious source"; content: "Admin user"; content:"has logged on via"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: successful-user; parse_src_ip: 1; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; reference: url, wiki.quadrantsec.com/bin/view/Main/5002904; sid:5002904; rev: 2;) + diff -Nru sagan-rules-10222015/juniper-geoip.rules sagan-rules-20160923/juniper-geoip.rules --- sagan-rules-10222015/juniper-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/juniper-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan juniper-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,4 +29,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002028; sid:5002028; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY"; program: Juniper; content: "Logout from"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002029; sid:5002029; rev: 1;) +# Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) + +alert tcp $HOME_NET any -> $EXTERNAL_NET $SSH_PORT (msg: "[ScreenOS-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country"; content: "Admin user"; content:"has logged on via"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; reference: url, wiki.quadrantsec.com/bin/view/Main/5002773; sid:5002773; rev: 2;) diff -Nru sagan-rules-10222015/juniper.rules sagan-rules-20160923/juniper.rules --- sagan-rules-10222015/juniper.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/juniper.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan juniper.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -40,10 +40,10 @@ # Champ Clark (03/01/2013) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force"; content: "SSHD_LOGIN_ATTEMPTS_THRESHOLD"; program: sshd; classtype: unsuccessful-user; sid: 5001642; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001642; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force"; content: "SSHD_LOGIN_FAILED_LIMIT"; parse_src_ip: 1; program: sshd; classtype: unsuccessful-user; sid: 5001643; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001643; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force"; content: "SSHD_LOGIN_ATTEMPTS_THRESHOLD"; program: sshd; flowbits: set,brute_force,21600; classtype: unsuccessful-user; sid: 5001642; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001642; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force"; content: "SSHD_LOGIN_FAILED_LIMIT"; parse_src_ip: 1; program: sshd; flowbits: set,brute_force,21600; classtype: unsuccessful-user; sid: 5001643; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001643; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; classtype: unsuccessful-user; sid: 5001644; reference: url,wiki.quadrantsec.com/bin/view/Main/5001644; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5]"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; classtype: unsuccessful-user; sid: 5001645; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001645; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5]"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; flowbits: set,brute_force,21600; classtype: unsuccessful-user; sid: 5001645; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001645; rev:4;) # Juniper Netscreens @@ -98,10 +98,13 @@ # Juniper VPN devices - Champ Clark (cclark@quadrantsec.com) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Login failed"; program: Juniper; pcre: "/ Login failed | authentication failed /"; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002022; sid: 5002022; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Login failed - Brute Force [10/5]"; program: Juniper; pcre: "/ Login failed | authentication failed /i"; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002023; sid: 5002023; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Login failed - Brute Force [10/5]"; program: Juniper; pcre: "/ Login failed | authentication failed /i"; flowbits: set,brute_force,21600; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002023; sid: 5002023; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] Possible VPN Login bypass attempt"; program: Juniper; content: "not authenticated yet"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002024; sid: 5002024; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Unable to download virus signatures"; program: Juniper; content: "Unable to download current virus"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002025; sid: 5002025; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN - Possible scan/probe"; program: Juniper; content: "SSL negotiation failed"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002026; sid: 5002026; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN - Policy violation"; program: Juniper; content: "Host Checker policy"; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002027; sid: 5002027; rev:1;) +# Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) +alert tcp $HOME_NET any -> $EXTERNAL_NET $SSH_PORT (msg:"[ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - system"; content: "Admin user system has logged on via"; nocase; content "00515"; parse_src_ip: 1; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; classtype:successful-admin; sid: 5002771; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $SSH_PORT (msg:"[ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - username"; content "Admin user"; content:"username"; content:"has logged on via"; content: "00515"; parse_src_ip: 1; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; classtype:successful-admin; sid: 5002772; rev:2;) diff -Nru sagan-rules-10222015/kismet.rules sagan-rules-20160923/kismet.rules --- sagan-rules-10222015/kismet.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/kismet.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan kismet.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/knockd.rules sagan-rules-20160923/knockd.rules --- sagan-rules-10222015/knockd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/knockd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan knockd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/.last_used_sid sagan-rules-20160923/.last_used_sid --- sagan-rules-10222015/.last_used_sid 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/.last_used_sid 2016-09-21 02:52:28.000000000 +0000 @@ -1 +1 @@ -5002579 +5002955 diff -Nru sagan-rules-10222015/linux-kernel-normalize.rulebase sagan-rules-20160923/linux-kernel-normalize.rulebase --- sagan-rules-10222015/linux-kernel-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/linux-kernel-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -# Sagan linux-kernel-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -# Rulebase notes: -# -# iptables TCP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) -# -# -# [6251572.861709] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9133 DF PROTO=TCP SPT=50661 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 - -rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% %-:word% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% - -# iptables UDP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) -# -# [6252395.294134] IN=fire OUT=fire PHYSIN=eth1 PHYSOUT=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=78 TOS=0x00 PREC=0x00 TTL=50 ID=8658 DF PROTO=UDP SPT=137 DPT=137 LEN=52 -# [6255730.106539] IN=fire OUT=fire PHYSIN=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=76 TOS=0x00 PREC=0xC0 TTL=63 ID=34162 PROTO=UDP SPT=123 DPT=123 LEN=56 -# [6256275.991117] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 - -rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:word% ID=%-:number% PROTO=%-:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% - -rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% - - diff -Nru sagan-rules-10222015/linux-kernel.rules sagan-rules-20160923/linux-kernel.rules --- sagan-rules-10222015/linux-kernel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/linux-kernel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # linux-kernel.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,14 +28,14 @@ # These detect "generic" netfilter/iptables messages. Normalization will _not_ work if your using a user-defined iptables LOG "prefix" options! -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=TCP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001104; normalize: linux-kernel; program: kernel; sid: 5001104; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=UDP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001105; normalize: linux-kernel; program: kernel; sid: 5001105; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=TCP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001104; normalize; program: kernel; sid: 5001104; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=UDP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001105; normalize; program: kernel; sid: 5001105; rev:2;) # General file system errors (Champ Clark - 01/09/2014) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] ReiserFS error"; content: "REISERFS error"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001943; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001943; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Unhandled error code"; content: "Unhandled error code"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001944; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001944; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] I/O error"; content: "I/O error, dev"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001945; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001945; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] I/O error"; content: "I/O error, dev"; content:!"dev fd"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001945; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001945; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] hostbyte=DID_ERROR"; content: "hostbyte=DID_ERROR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001946; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001946; rev:1;) # HPSA (HP Raid controllers) - (Champ Clark - 05/07/2015) diff -Nru sagan-rules-10222015/milter.rules sagan-rules-20160923/milter.rules --- sagan-rules-10222015/milter.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/milter.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan milter.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/mongodb.rules sagan-rules-20160923/mongodb.rules --- sagan-rules-10222015/mongodb.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/mongodb.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan mongodb.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/mysql.rules sagan-rules-20160923/mysql.rules --- sagan-rules-10222015/mysql.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/mysql.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan mysql.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/nexpose.rules sagan-rules-20160923/nexpose.rules --- sagan-rules-10222015/nexpose.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/nexpose.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan nexpose.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/nfcapd-malware.rules sagan-rules-20160923/nfcapd-malware.rules --- sagan-rules-10222015/nfcapd-malware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/nfcapd-malware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan nfcapd-malware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -36,13 +36,13 @@ # Example log string sent to the FIFO from the modified "nfcapd": # source_ip: 10.10.0.1/80, destination_ip: 173.165.207.65/16464, protocol: UDP, duration: 5.400, flags: |.AP.SF|, tos: 0, packets: 312, bytes: 4222451716, last_time: 2013-11-30 01:10:24, vlan_src: 32767, vlan_dst: 0 -alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16464, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001853; sid: 5001853; rev: 4;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16465, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001854; sid: 5001854; rev: 4;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16470, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001855; sid: 5001855; rev: 3;) -alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16471, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001856; sid: 5001856; rev: 4;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16464, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001853; sid: 5001853; rev: 5;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16465, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001854; sid: 5001854; rev: 5;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16470, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001855; sid: 5001855; rev: 4;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16471, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001856; sid: 5001856; rev: 5;) # Older TCP port 13620 (pre-Q2 2012) -alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " TCP,"; content: "/13620, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001857; sid: 5001857; rev: 3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5]"; program: nfcapd; normalize; content: " TCP,"; content: "/13620, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001857; sid: 5001857; rev: 4;) diff -Nru sagan-rules-10222015/nfcapd-normalize.rulebase sagan-rules-20160923/nfcapd-normalize.rulebase --- sagan-rules-10222015/nfcapd-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/nfcapd-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -# Sagan nfcapd-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -# -# source_ip: 10.1.1.1/54630, destination_ip: 12.159.2.100/13620, protocol: TCP, duration: 0.204, flags: |.A..S.|, tos: 0, packets: 2, bytes: 92, last_time: 2015-06-04 18:29:58, reported by 10.5.1.1 - -rule=: source_ip: %src-ip:ipv4%/%src-port:number%, destination_ip: %dst-ip:ipv4%/%dst-port:number%, protocol: %proto:char-to:\x2c%, %-:rest% diff -Nru sagan-rules-10222015/nfcapd.rules sagan-rules-20160923/nfcapd.rules --- sagan-rules-10222015/nfcapd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/nfcapd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan nfcapd.rules -# Copyright (c) 2009-2015, Quadrant Informat.AP...curity +# Copyright (c) 2009-2016, Quadrant Informat.AP...curity # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -38,53 +38,53 @@ # Possible IRC traffic -alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6667, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001984; sid: 5001984; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize; content: "/6667, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001984; sid: 5001984; rev: 9;) # 6697 - IRC traffic -alert tcp $HOME_NET any -> $EXTERNAL_NET 6697 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6697, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001985; sid: 5001985; rev: 8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6697 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize; content: "/6697, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001985; sid: 5001985; rev: 10;) # 6660-6669, 7000 -alert tcp $HOME_NET any -> $EXTERNAL_NET 6660 (msg: "[NFCAPD] Possible IRC - Port 6660 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6660, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001986; sid: 5001986; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6661 (msg: "[NFCAPD] Possible IRC - Port 6661 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6661, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001987; sid: 5001987; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6662 (msg: "[NFCAPD] Possible IRC - Port 6662 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6662, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001988; sid: 5001988; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6663 (msg: "[NFCAPD] Possible IRC - Port 6663 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6663, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001989; sid: 5001989; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6664 (msg: "[NFCAPD] Possible IRC - Port 6664 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6664, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001990; sid: 5001990; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6665 (msg: "[NFCAPD] Possible IRC - Port 6665 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6665, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001991; sid: 5001991; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666 (msg: "[NFCAPD] Possible IRC - Port 6666 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6666, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001992; sid: 5001992; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6998 (msg: "[NFCAPD] Possible IRC - Port 6668 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6668, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001993; sid: 5001993; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6999 (msg: "[NFCAPD] Possible IRC - Port 6669 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6669, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001994; sid: 5001994; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 7000 (msg: "[NFCAPD] Possible IRC - Port 7000 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/7000, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001995; sid: 5001995; rev: 6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6660 (msg: "[NFCAPD] Possible IRC - Port 6660 [5/5]"; program: nfcapd; normalize; content: "/6660, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001986; sid: 5001986; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6661 (msg: "[NFCAPD] Possible IRC - Port 6661 [5/5]"; program: nfcapd; normalize; content: "/6661, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001987; sid: 5001987; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6662 (msg: "[NFCAPD] Possible IRC - Port 6662 [5/5]"; program: nfcapd; normalize; content: "/6662, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001988; sid: 5001988; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6663 (msg: "[NFCAPD] Possible IRC - Port 6663 [5/5]"; program: nfcapd; normalize; content: "/6663, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001989; sid: 5001989; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6664 (msg: "[NFCAPD] Possible IRC - Port 6664 [5/5]"; program: nfcapd; normalize; content: "/6664, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001990; sid: 5001990; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6665 (msg: "[NFCAPD] Possible IRC - Port 6665 [5/5]"; program: nfcapd; normalize; content: "/6665, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001991; sid: 5001991; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666 (msg: "[NFCAPD] Possible IRC - Port 6666 [5/5]"; program: nfcapd; normalize; content: "/6666, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001992; sid: 5001992; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6998 (msg: "[NFCAPD] Possible IRC - Port 6668 [5/5]"; program: nfcapd; normalize; content: "/6668, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001993; sid: 5001993; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6999 (msg: "[NFCAPD] Possible IRC - Port 6669 [5/5]"; program: nfcapd; normalize; content: "/6669, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001994; sid: 5001994; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 7000 (msg: "[NFCAPD] Possible IRC - Port 7000 [5/5]"; program: nfcapd; normalize; content: "/7000, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001995; sid: 5001995; rev: 7;) # SSH -alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg: "[NFCAPD] PUSH/ACK Traffic Detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/22, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001996; sid: 5001996; rev: 7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg: "[NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/2222, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001997; sid: 5001997; rev: 7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg: "[NFCAPD] PUSH/ACK Traffic Detected [5/5]"; program: nfcapd; normalize; content: "/22, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001996; sid: 5001996; rev: 8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg: "[NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5]"; program: nfcapd; normalize; content: "/2222, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 20, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001997; sid: 5001997; rev: 9;) # Telnet -alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg: "[NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5]"; program: nfcapd; normalize: nfcapd; content: "/23, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001998; sid: 5001998; rev: 6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg: "[NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5]"; program: nfcapd; normalize; content: "/23, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001998; sid: 5001998; rev: 7;) # Bittorrent traffic via nfcapd - Robert Nunley 05/08/2015 -alert tcp $HOME_NET any -> $EXTERNAL_NET 6881 (msg: "[NFCAPD] Possible BitTorrent - Port 6881 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6881, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002291; sid: 5002291; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6882 (msg: "[NFCAPD] Possible BitTorrent - Port 6882 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6882, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002292; sid: 5002292; rev: 4;); -alert tcp $HOME_NET any -> $EXTERNAL_NET 6883 (msg: "[NFCAPD] Possible BitTorrent - Port 6883 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6883, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002293; sid: 5002293; rev: 4;); -alert tcp $HOME_NET any -> $EXTERNAL_NET 6884 (msg: "[NFCAPD] Possible BitTorrent - Port 6884 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6884, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002294; sid: 5002294; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6885 (msg: "[NFCAPD] Possible BitTorrent - Port 6885 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6885, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002295; sid: 5002295; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6886 (msg: "[NFCAPD] Possible BitTorrent - Port 6886 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6886, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002296; sid: 5002296; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6887 (msg: "[NFCAPD] Possible BitTorrent - Port 6887 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6887, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002297; sid: 5002297; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6888 (msg: "[NFCAPD] Possible BitTorrent - Port 6888 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6888, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002298; sid: 5002298; rev: 4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6889 (msg: "[NFCAPD] Possible BitTorrent - Port 6889 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6889, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002299; sid: 5002299; rev: 4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6881 (msg: "[NFCAPD] Possible BitTorrent - Port 6881 [5/5]"; program: nfcapd; normalize; content: "/6881, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002291; sid: 5002291; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6882 (msg: "[NFCAPD] Possible BitTorrent - Port 6882 [5/5]"; program: nfcapd; normalize; content: "/6882, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002292; sid: 5002292; rev: 5;); +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6883 (msg: "[NFCAPD] Possible BitTorrent - Port 6883 [5/5]"; program: nfcapd; normalize; content: "/6883, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002293; sid: 5002293; rev: 5;); +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6884 (msg: "[NFCAPD] Possible BitTorrent - Port 6884 [5/5]"; program: nfcapd; normalize; content: "/6884, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002294; sid: 5002294; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6885 (msg: "[NFCAPD] Possible BitTorrent - Port 6885 [5/5]"; program: nfcapd; normalize; content: "/6885, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002295; sid: 5002295; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6886 (msg: "[NFCAPD] Possible BitTorrent - Port 6886 [5/5]"; program: nfcapd; normalize; content: "/6886, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002296; sid: 5002296; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6887 (msg: "[NFCAPD] Possible BitTorrent - Port 6887 [5/5]"; program: nfcapd; normalize; content: "/6887, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002297; sid: 5002297; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6888 (msg: "[NFCAPD] Possible BitTorrent - Port 6888 [5/5]"; program: nfcapd; normalize; content: "/6888, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002298; sid: 5002298; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 6889 (msg: "[NFCAPD] Possible BitTorrent - Port 6889 [5/5]"; program: nfcapd; normalize; content: "/6889, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002299; sid: 5002299; rev: 5;) # Tor traffic via nfcapd - Robert Nunley 05/08/2015 -alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize: nfcapd; content: "/9001, protocol|3a| TCP,"; flowbits: set, tor_traffic, 15; flowbits: noalert; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize; content: "/9001, protocol|3a| TCP,"; flowbits: set, tor_traffic, 15; flowbits: noalert; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 9030 (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize: nfcapd; content: "/9030, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 9030 (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize; content: "/9030, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev: 6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "[NFCAPD] Possible TOR - Port 443 after Port 9001"; program: nfcapd; normalize: nfcapd; content: "/443, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002302; reference: url, torstatus.blutmagie.de; sid: 5002302; rev: 5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "[NFCAPD] Possible TOR - Port 443 after Port 9001"; program: nfcapd; normalize; content: "/443, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002302; reference: url, torstatus.blutmagie.de; sid: 5002302; rev: 6;) diff -Nru sagan-rules-10222015/nginx.rules sagan-rules-20160923/nginx.rules --- sagan-rules-10222015/nginx.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/nginx.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan nginx.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,3 +33,6 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Initial 401 authentication request"; content: "no user/password was provided for basic authentication"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000173; sid:5000173; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Web authentication failed"; pcre: "/password mismatch, client|was not found in/i"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000174; sid:5000174; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Invalid URI, file name too long"; content: "File name too long"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000175; sid:5000175; rev:1;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx brute force authentication attempt [5/1]"; pcre: "/password mismatch, client|was not found in/i"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: nginx; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002948; sid:5002948; rev:1;) + diff -Nru sagan-rules-10222015/normalization.rulebase sagan-rules-20160923/normalization.rulebase --- sagan-rules-10222015/normalization.rulebase 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/normalization.rulebase 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,394 @@ +# Sagan arp-normalize.rulebase +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# This file is used in conjunction with liblognorm. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +prefix= + +#***************************************************************************** +# arpalert +#***************************************************************************** + +# arpalert +# seq=277, mac=00:01:d7:35:55:06, ip=172.22.1.53, reference=172.22.2.69, type=ip_change, dev=eth0, vendor="F5 Networks, Inc." + +rule=: seq=%-:word%, mac=%-:word%, ip=%src-ip:ipv4%, reference=%dst-ip:ipv4%, %-:rest% + +#***************************************************************************** +# Bro +#***************************************************************************** + +# This is a "custom" bro output Sagan uses for file hashes from Bro. + +rule=: files: %-:word% %-:word% %src-ip:ipv4% %dst-ip:ipv4% %-:word% %-:word% %-:number% %-:word% %mime-type:word% %-:word% %-:word% %-:word% %-:word% %-:number% %-:number% %-:number% %-:number% %-:word% %-:word% %filehash-md5:word% %filehash-sha1:word% %filehash-sha256:word% %-:rest% + +#***************************************************************************** +# Cisco +#***************************************************************************** + +# 1w3d: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 192.168.0.1 + +rule=: %uptime:word% %authfail:word% Authentication failure for SNMP req from host %src-ip:ipv4% + +# Dec 26 19:59:26: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.1.128.27 + +rule=: %month:word% %day:word% %hour:word% %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% + +# Access denied URL http://www.example.com/somethings.txt SRC 192.168.0.1 DEST 10.10.10.10 on interface inside + +rule=: Access denied URL %url:word% SRC %src-ip:ipv4% DEST %dst-ip:ipv4% %-:rest% + +# Caused by WebVPN or IPSec +# AAA user authentication Successful : server = 10.10.10.10 : user = domain\bob + +rule=: AAA user authentication Successful : server = %ip-src:ipv4% : user = %username:word% +rule=: AAA user authentication Rejected : reason = AAA failure : server = %src-ip:ipv4% : user = %username:word% + +# User authentication failed: Uname: timothy + +rule=: User authentication failed: Uname: %username:word% + +# Space at the end of this line! +# %ASA-6-315011: SSH session from 192.168.0.1 on interface Outside2 for user "test" disconnected by SSH server, reason: "Internal error" (0x00) +# SSH session from 10.20.10.200 on interface Outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00) + +rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% +rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% + +rule=: Configured from console by %-:word% (%src-ip:ipv4%) +rule=: Authentication failure for %proto:word% req from host %src-ip:ipv4% +rule=: Attempted to connect to %username:word% from %src-ip:ipv4% + +# 02:19:47.007 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.10.10.10 +# +rule=: %-:word% %-:word% %-:word% %-:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% + +# Deny TCP (no connection) from perforce/139 to 192.168.73.1/2048 flags RST ACK on interface INSIDE +# +rule=: Deny %proto:word% (no connection) from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% flags %-:rest% + +# Mar 31 02:30:42.815 UTC: %SYS-5-CONFIG_I: Configured from console by sachen on vty0 (10.32.23.63) +# +rule=: %-:word% %-:word% %-:word% %-:word% %%SYS-5-CONFIG_I: Configured from console by %username:word% on %-:word% (%src-ip:ipv4%) + +# Deny inbound UDP from 46.161.166.49/63905 to 214.20.10.211/65257 on interface OUTSIDE +# +rule=: Deny inbound UDP from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% %-:rest% + +# Denied ICMP type=8, code=0 from 159.101.118.111 on interface INSIDE +# +rule=: Denied ICMP type=%-:number%, code=%-:number% from %src-ip:ipv4% %-:rest% + +# These cover a lot of WebVPN, etc rules. +# +# Group User IP <10.10.10.10> WebVPN session terminated: User Requested. +# Group User IP <10.10.10.10> WebVPN session terminated: Idle Timeout. +# Group User IP <10.10.10.10> SVC closing connection: Transport closing. +# Group User IP <10.10.10.10> SVC Message: 17/ERROR: Reconnecting to recover from error.. +# +rule=: Group <%-:char-to:\x3e%> User <%username:char-to:\x3e%> IP <%src-ip:char-to:\x3e%> %-:rest% + +# Teardown UDP connection 31929471 for inside:10.10.10.10/1111 to dmz:239.254.0.4/12224 duration 0:00:00 bytes 0 +# Teardown TCP connection 1829067148 for outside:10.10.10.10/443 to inside:192.168.1.1/10830 duration 0:03:04 bytes 8699 TCP FINs" + +rule=: Teardown %proto:word% connection %connection:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% + +# Teardown ICMP connection for faddr 10.10.10.10/0 gaddr 192.168.1.1/10000 laddr 192.168.1.1/100001 + +rule=: Teardown %proto:word% connection for %-:word% %src-ip:ipv4%/%src-port:number% %-:word% %dst-ip:ipv4%/28694 %-:rest% + +# access-list inside_egress permitted tcp inside/10.10.10.1(10000) -> outside/192.186.1.1(80) hit-cnt 1 first hit [0xf83f456b, 0x0] + +rule=: access-list %-:word% permitted %proto:word% %-:char-to:\x2f%/%src-ip:ipv4%(%src-port:number%) -> %-:char-to:\x2f%/%dst-ip:ipv4%(%dst-port:number%) %-:rest% + +# Built inbound TCP connection 3171137 for outside:10.10.10.10/10000 (10.10.10.10/10000)(DOMAIN\Bob) to inside:192.168.1.10/80 (192.168.1.1/80) (Bob) + +rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% (%-:ipv4%/58521)(%domain:char-to:\x5c%\%username:char-to:\x29%) to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% + +# Built inbound TCP connection 1834111354 for outside:10.10.10.10/28490 (10.10.10.10/28490) to dmz:192.168.1.1/80 (192.168.1.1/80) + +rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% %-:word% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% + +# Group = Employee, Username = bob, IP = 10.10.10.10, Error processing payload: Payload ID: 14 + +rule=: Group = %-:word%, Username = %username:word%, IP = %src-ip:ipv4%, %-:rest% +rule=: Group = %-:char-to:\x2c%, Username = %username:char-to:\x2c%, IP = %src-ip:ipv4%, %-:rest% + +# FTP connection from inside:10.10.1.1/3789 to outside:12.12.12.12/21, user bob Retrieved file somefile.txt + +rule=: FTP connection from %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%, user %username:word% %-:rest% + +# TCP access denied by ACL from 10.10.10.10/28490 to inside:192.168.1.1/80 + +rule =: TCP access denied by ACL from %src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% + +# Teardown TCP connection 361112504 for outside:10.10.1.100/61160(LOCAL\Bob) to inside:12.159.2.124/443 duration 0:00:13 bytes 3216 TCP FINs (Bob) + +rule=: Teardown %proto:word% connection %-:number% for outside:%src-ip:ipv4%/%src-port:number%%-:word% to inside:%dst-ip:ipv4%/%dst-port:number% %-:rest% + +# Cisco ACS normalization + +rule=: %-:word% %-:number% %-:number% %-:word% %-:word% %-:word% %-:word% %-:word% NOTICE Failed-Attempt: Authentication failed, ACSVersion=%-:word% ConfigVersionId=%-:word% Device IP Address=%src-ip:char-to:\x2c%, Device Port=%src-port:char-to:\x2c%, UserName=%username:char-to:\x2c%, Protocol=%-:word% RequestLatency=%-:word% NetworkDeviceName=%-:word% Type=Authentication, Action=Login, Privilege-Level=%-:word% Authen-Type=%-:word% Service=Login, User=%-:word% Port=%-:word% Remote-Address=%dst-ip:char-to:\x2c%, %-:rest% + +#***************************************************************************** +# DNS (bind, etc) +#***************************************************************************** + +rule=: client %src-ip:ipv4%#%src-port:number%: update '%-:char-to:\x27%' denied +rule=: client %src-ip:ipv4%#%src-port:number%: query (cache) '%-:char-to:\x27%' denied +rule=: unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% +rule=: error (unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% + +#***************************************************************************** +# Fortinet/Fortigate +#***************************************************************************** + +rule=: time=%-:word% devname=%-:word% devid=%-:word% logid=%-:word% type=%-:word% subtype=%-:word% level=%-:word% vd=%-:word% srcip=%src-ip:ipv4% srcport=%src-port:number% srcintf=%-:word% dstip=%dst-ip:ipv4% dstport=%dst-port:number% dstintf=%-:word% %-:rest% + +#***************************************************************************** +# IMAP +#***************************************************************************** + +rule=: Logout user=%username:word% host=%-:word% [%src-ip:ipv4%] +rule=: Login excessive login failures user=%username:word% auth=%-:word% host=%-t:word% [%src-ip:ipv4]] +rule=: Login failed user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%] +rule=: authentication failure; logname= uid=%-:word% euid=%-:word% tty=%-:word% ruser=%-:word% rhost=%src-ip:ipv4% user=%username:word% + +#***************************************************************************** +# Imperva +#***************************************************************************** + +rule=: act=Block dst=%dst-ip:ipv4% dpt=%src-port:number% duser=%username:word% src=%src-ip:ipv4% spt=%src-port:number% proto=%proto:word% %all:rest% + +#***************************************************************************** +# Linux kernel +#***************************************************************************** + +# Rulebase notes: +# +# iptables TCP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) +# +# +# [6251572.861709] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9133 DF PROTO=TCP SPT=50661 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 + +rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% %-:word% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% + +# iptables UDP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) +# +# [6252395.294134] IN=fire OUT=fire PHYSIN=eth1 PHYSOUT=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=78 TOS=0x00 PREC=0x00 TTL=50 ID=8658 DF PROTO=UDP SPT=137 DPT=137 LEN=52 +# [6255730.106539] IN=fire OUT=fire PHYSIN=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=76 TOS=0x00 PREC=0xC0 TTL=63 ID=34162 PROTO=UDP SPT=123 DPT=123 LEN=56 +# [6256275.991117] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 + +rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:word% ID=%-:number% PROTO=%-:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% + +rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% + +#***************************************************************************** +# nfcap / nfdump +#***************************************************************************** + +# source_ip: 10.1.1.1/54630, destination_ip: 12.159.2.100/13620, protocol: TCP, duration: 0.204, flags: |.A..S.|, tos: 0, packets: 2, bytes: 92, last_time: 2015-06-04 18:29:58, reported by 10.5.1.1 + +rule=: source_ip: %src-ip:ipv4%/%src-port:number%, destination_ip: %dst-ip:ipv4%/%dst-port:number%, protocol: %proto:char-to:\x2c%, %-:rest% + +#***************************************************************************** +# OpenSSH +#***************************************************************************** + +rule=: Failed %-:word% for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: Accepted %-:word% for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: Accepted keyboard-interactive/pam for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: Accepted password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: error: PAM: Authentication failure for %username:word% from %src-ip:ipv4% +rule=: error: PAM: Authentication failure for %username:word% from %src-host:word% +rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% user=%username:word% +rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% +rule=: PAM %number:number% more authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% +rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: error: PAM: Authentication failure for illegal user %username:word% from %src-ip:ipv4% +rule=: Failed password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: Accepted gssapi-with-mic for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: Postponed keyboard-interactive for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth] +rule=: Failed keyboard-interactive/pam for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 +rule=: input_userauth_request: invalid user %username:word% [preauth] +rule=: Invalid user %username:word% from %src-ip:ipv4% +rule=: Disconnecting: Too many authentication failures for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth] + +#***************************************************************************** +# Palo-Alto +# +# These likely need to be retested! +# +#***************************************************************************** + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern4:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x2C%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern1:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:char-sep:\x2C%,%natdstip:char-sep:\x2C%,%policy:char-sep:\x2C%,%source_user:char-sep:\x2C%,%destination_user:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session_id:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:char-sep:\x2C%,%nat-dst-port:char-sep:\x2C%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(%threatid:char-sep:\x2C%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern2:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x28%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern3:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x22\x2C\x28%,(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern5:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern6:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern7:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,\"%url:char-sep:\x22\x2C\",(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest% +#####VIRUS + +###SAMPLE##### 23:27:06,00099999999,THREAT,virus,0,2014/03/10 23:27:00,198.63.231.38,192.168.192.49,198.63.231.38,99.98.97.206,Users Out,,,ftp,vsys1,Untrust,Trust,ethernet1/1,ethernet1/16,logzprof,2014/03/10 23:27:06,144015,1,39874,56238,39874,60251,0x400000,tcp,deny,"Files.exe",Trojan/Win32.agent.dipyh(2203092),any,medium,server-to-client,172814842,0x0,United States,192.168.0.0-192.168.255.255,0, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,virus,pattern1:THREAT,virus,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,0x%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%virusinfo:quoted-string%,%virusname:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +#####VULNERABILITY + +###SAMPLE WITH NAT##### 09:35:32,00099999999,THREAT,vulnerability,0,2014/03/15 09:35:27,217.162.12.99,99.98.97.7,217.162.12.99,192.168.100.3,SOMEPOLICY,,,web-browsing,vsys1,Untrust,DMZ,ethernet1/1,ethernet1/3,logzprof,2014/03/15 09:35:31,136093,1,40549,80,40549,80,0x400000,tcp,drop-all-packets,"php4",PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804),any,medium,client-to-server,174087202,0x0,Switzerland,United States,0, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,vulnerability,pattern1:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +###SAMPLE WITHOUT NAT#### 18:26:58,00099999999,THREAT,vulnerability,0,2014/05/15.18:26:53,192.168.1.132,192.168.100.3,,,TRUST-DMZ,,,smtp,vsys1,Trust,DMZ,ethernet1/16,ethernet1/3,logzprof,2014/05/15.18:26:58,241073,1,49977,25,0,0,0x0,tcp,drop-all-packets,"image8.emf",Adobe.Reader.Heap.Buffer.Overflow.Vulnerability(36458),any,critical,client-to-server,187015108,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,vulnerability,pattern2:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +#####FILE + +####SAMPLE### 01:13:03,00099999999,THREAT,file,1,2014/03/22 01:12:57,65.55.227.140,192.168.1.135,65.55.227.140,32.33.34.5,Users Out,,,sharepoint-base,vsys1,outside,inside,ethernet1/1,ethernet1/16,logzprof,2014/03/22 01:13:02,63889,1,80,57055,80,28843,0x404000,tcp,alert,"AF101807649.wat",Microsoft PE File(52060),any,low,server-to-client,718288,0x0,United States,192.168.0.0-192.168.255.255,0, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,file-detection,pattern1:THREAT,file,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%filename:quoted-string%,%filetype:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +####SPYWARE + +##SAMPLE### 01:13:03,00099999999,THREAT,spyware,1,2014/03/22 03:50:55,162.213.31.66,32.33.34.114,162.213.31.66,192.168.168.39,rule 77,,,sip,vsys1,outside,inside,ethernet1/1,ethernet1/16,logzprof,2014/03/22 03:51:00,196169,1,5061,5060,5061,5060,0x404000,udp,drop-packet,"",Sipvicious.Gen User-Agent Traffic(13272),any,low,client-to-server,718302,0x0,United States,United States,0, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,spyware,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:char-sep:\x2C%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +##SAMPLE### 15:48:07,00099999999,THREAT,spyware,1,2014/12/22 15:48:07,192.168.0.8,199.2.252.10,28.16.19.5,199.2.252.10,DNS_SERVERS_OUT,,,dns,vsys1,inside,outside,ethernet1/16,ethernet1/1,logzprof,2014/12/22 15:48:07,103238,1,49398,53,36378,53,0x404000,udp,drop-all-packets,\"\",Suspicious DNS Query (generic:ib.spotsmagic.com)(4083979),any,medium,client-to-server,78603388,0x0,192.168.0.0-192.168.255.255,US,0,,0,, + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,spyware-dns,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% + +#####TRAFFIC +# Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, +#Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, +#Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, +#FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination +#Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, +#FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets +#Sent, Packets Received. + +##SAMPLE WITH NAT## +# 20:34:24,00099999999,TRAFFIC,start,0,2014/06/11 20:34:23,10.11.12.13,64.46.69.96,9.8.20.207,64.46.69.96,Policyname,,,ssl,vsys1,Trust,Untrust,ethernet1/16,ethernet1/1,logzprof,2014/06/11 20:34:23,99660,1,1950,443,56427,443,0x400000,tcp,allow,340,278,62,4,2014/06/11 20:34:24,0,any,0,683837684,0x0,10.0.0.0-10.255.255.255,United States,0,3,1 + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern1:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern2:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number% + +###SAMPLE WITHOUT NAT +#Dec 10 04:27:05 fwname,2014/12/10 04:27:05,00099999999,TRAFFIC,drop,1,2014/12/10 04:26:59,17.27.18.13,5.23.16.2,,,Inbound Block Evil,,,icmp,vsys1,Untrust,Trust,ethernet1/1,,logzprof,2014/12/10 04:27:04,0,1,0,0,0,0,0x0,icmp,deny,106,106,0,1,2014/12/10 04:27:00,0,any,0,315118370,0x0,Morocco,United States,0,1,0 +#Dec 9 22:50:27 fwname,2014/12/09 22:50:27,00099999999,TRAFFIC,drop,1,2014/12/09 22:50:26,41.141.224.222,5.23.16.1,,,Inbound Block Evil,,,not-applicable,vsys1,Untrust,Trust,ethernet1/1,,logzprof,2014/12/09 22:50:26,0,1,51762,80,0,0,0x0,tcp,deny,62,62,0,1,2014/12/09 22:50:27,0,any,0,314787233,0x0,Morocco,United States,0,1,0 + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern3:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%%therest:rest% + +rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern4:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number% + +#***************************************************************************** +# HP Procurve +#***************************************************************************** + +#FFI: port 14 - Security Violation +rule=: port %-:number% - Security Violation + +#***************************************************************************** +# SMTP +#***************************************************************************** + +rule=: %-:word% %-:word% [%src-ip:ipv4%]: expn %username:word% + +# p0IGs29E022795: ruleset=check_rcpt, arg1=, relay=mailhost.example.com [192.168.0.1], reject=553 5.1.8 ... Domain of sender address bogus@example.com does not exist + +rule=: %-:word% ruleset=check_rcpt, %-:word% relay=%y:word% [%src-ip:ipv4%] (may be forged), reject=%-:number% %-:rest% + +# p0I3FCpA013475: [192.168.0.1]: Possible SMTP RCPT flood, throttling. + +rule=: %-:word%: [%src-ip:ipv4%]: Possible SMTP RCPT flood, throttling. + +#***************************************************************************** +# Snort +#***************************************************************************** + +# Jun 2 00:41:47 demo snort: [1:19559:5] INDICATOR-SCAN SSH brute force login attempt [Classification: Misc activity] [Priority: 3] {TCP} 43.255.188.148:35236 -> 10.5.1.3:22 + +rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%] {%proto:char-to:\x7d%} %dst-ip:ipv4%:%dst-port:number% -> %src-ip:ipv4%:%src-port:number% + +#***************************************************************************** +# Sonicwall +#***************************************************************************** + +# Remember the space at the end of the rule.. Also " counts as part of a %thing:word% + +rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note=%ports-scanned:quoted-string% + +#rule=: msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% + +rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg=%alert:quoted-string% sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% + +#***************************************************************************** +# su/sudo +#***************************************************************************** + +rule=: Successful su for %-:word% by %username:word% +rule=: pam_unix(sudo:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% %-:word% ruser= rhost= user=%username:word% + +#***************************************************************************** +# VMWare (ESXi, etc) +#***************************************************************************** + +rule=: Accepted password for %username:word% from %src-ip:ipv4% + +#***************************************************************************** +# Microsoft Windows (via Evt2sys or NXLog +#***************************************************************************** + +# Note the space at the end! +# +#rule=: 529: NT AUTHORITY\\SYSTEM: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% + +#rule=: 529: S-1-5-18: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% + +#***************************************************************************** +# Citrix +#***************************************************************************** + +# 16:04:31 GMT server1 PPE-1 : AAA LOGIN_FAILED 71011157 : User bob - Client_ip 12.12.12.12 - Failure_reason "External authentication server denied access" + +rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% : User %username:word% - Client_ip %src-ip:ipv4% - Failure_reason %-:rest% + +# 16:23:29 GMT server1 PPE-0 : SSLVPN LOGIN 75181906 : Context bob@12.12.12.12 - SessionId: 11147- User bob - Client_ip 12.12.12.12 - Nat_ip "Mapped Ip" - Vserver 192.168.1.1:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" - SSLVPN_client_type Clientless - Group(s) "N/A" + +rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% +rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% + diff -Nru sagan-rules-10222015/ntp.rules sagan-rules-20160923/ntp.rules --- sagan-rules-10222015/ntp.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ntp.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ntp.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/openssh-aetas.rules sagan-rules-20160923/openssh-aetas.rules --- sagan-rules-10222015/openssh-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openssh-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan openssh-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,9 +33,9 @@ # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via password at suspicious time"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002049; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002049; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via publickey at suspicious time"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002050; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002050; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via keyboard at suspicious time"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002051; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002051; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via password at suspicious time"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002049; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002049; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via publickey at suspicious time"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002050; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002050; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via keyboard at suspicious time"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002051; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002051; rev:3;) diff -Nru sagan-rules-10222015/openssh-bluedot.rules sagan-rules-20160923/openssh-bluedot.rules --- sagan-rules-10222015/openssh-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/openssh-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,39 @@ +# Sagan openssh-geoip.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# +# Not getting the source IP addresses that you'd expect? Then you probably +# have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll +# need to set that to "No" so Sagan can "find" the source IP addresses and +# port information. + + +# 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 + +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-BLUEDOT] Authentication success via password from suspicious source"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002905; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; sid:5002905; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-BLUEDOT] Authentication success via publickey from suspicious source"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002906; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; sid:5002906; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-BLUEDOT] Authentication success via keyboard from suspicious source"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002907; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot;; sid:5002907; rev:2;) + diff -Nru sagan-rules-10222015/openssh-correlated.rules sagan-rules-20160923/openssh-correlated.rules --- sagan-rules-10222015/openssh-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openssh-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan openssh-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,15 +29,15 @@ # Add by Champ Clark - 09/18/2015 # Login after previous recon flowbit is set. -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via password after suspicious activity"; content: "Accepted password"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002353; normalize: openssh; program: sshd; sid:5002353; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via public key after suspicious activity"; content: "Accepted publickey"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002354; normalize: openssh; program: sshd; sid:5002354; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after suspicious activity"; content: "Accepted keyboard-interactive"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002355; normalize: openssh; program: sshd; sid:5002355; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via password after suspicious activity"; content: "Accepted password"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002353; normalize; program: sshd; sid:5002353; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via public key after suspicious activity"; content: "Accepted publickey"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002354; normalize; program: sshd; sid:5002354; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after suspicious activity"; content: "Accepted keyboard-interactive"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002355; normalize; program: sshd; sid:5002355; rev:3;) # Added by Champ Clark - 09/17/2014 - Required flowbit. Valid login _after_ brute force. -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] SSH login success after brute force attack!"; pcre: "/accepted|authenticated/i"; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize: openssh; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002177; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] SSH login success after brute force attack!"; pcre: "/accepted|authenticated/i"; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002177; rev:7;) # We could later use "attacker.generic" to "track" the attacker! -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Accepted publickey after brute force attack!"; content: "Accepted publickey" ; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize: openssh; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002178; sid:5002178; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Accepted publickey after brute force attack!"; content: "Accepted publickey" ; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002178; sid:5002178; rev:6;) diff -Nru sagan-rules-10222015/openssh-geoip.rules sagan-rules-20160923/openssh-geoip.rules --- sagan-rules-10222015/openssh-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openssh-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan openssh-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,9 +33,9 @@ # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001874; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001874; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001875; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001875; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001876; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001876; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001874; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001874; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001875; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001875; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001876; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001876; rev:2;) diff -Nru sagan-rules-10222015/openssh-normalize.rulebase sagan-rules-20160923/openssh-normalize.rulebase --- sagan-rules-10222015/openssh-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openssh-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -# Sagan openssh-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -rule=: Invalid user %username:word% from %src-ip:ipv4% -rule=: Failed %-:word% for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 - -rule=: Accepted %-:word% for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 - -rule=: Accepted keyboard-interactive/pam for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 -rule=: Accepted password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 - -rule=: error: PAM: Authentication failure for %username:word% from %src-ip:ipv4% -rule=: error: PAM: Authentication failure for %username:word% from %src-host:word% - -rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% user=%username:word% -rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% -rule=: PAM %number:number% more authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% -rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 -rule=: error: PAM: Authentication failure for illegal user %username:word% from %src-ip:ipv4% -rule=: Failed password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 -rule=: Accepted gssapi-with-mic for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 - diff -Nru sagan-rules-10222015/openssh.rules sagan-rules-20160923/openssh.rules --- sagan-rules-10222015/openssh.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openssh.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan openssh.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -32,36 +32,37 @@ # Failed password for root from 109.70.148.243 port 17298 ssh2 +# error: PAM: Authentication failure for champ from 192.168.1.1 -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [5/5]"; content: "Authentication failure"; flowbits: set,brute_force, 86400; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh; program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:9;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/1]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize; parse_src_ip: 1; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:12;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:5;) - -#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize: openssh; program: sshd; sid: 5001523; rev:2;) - -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/1]"; content: "authentication failure"; flowbits: set, brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:10;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:3;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:5;) -#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:5;) - -#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:2;) -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root - Brute force [5/5]"; content: "Authentication failure for root"; flowbits: set,brute_force,86400; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:9;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; flowbits: set,brute_force,86400; classtype: unsuccessful-admin;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:5;) -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:6;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:7;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize; program: sshd; sid: 5001523; rev:3;) + +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/1]"; content: "authentication failure"; flowbits: set, brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:12;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:4;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:7;) +#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; flowbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:7;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:3;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root - Brute force [5/5]"; content: "Authentication failure for root"; flowbits: set,brute_force,21600; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:12;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; flowbits: set,brute_force,21600; classtype: unsuccessful-admin;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:7;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:2;) # General "illegal user" -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [Brute Force] [10/5]"; pcre: "/invalid user|illegal user/i"; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 86400; classtype: attempted-user; program: sshd; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [Brute Force] [10/1]"; pcre: "/invalid user|illegal user/i"; flowbits: set,brute_force,21600; classtype: attempted-user; program: sshd; normalize; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:16;) # Champ Clark (Quadrant Information Security) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/ @@ -79,15 +80,15 @@ # Failed password for root from 10.10.0.1 port 17298 ssh2 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force [10/1]"; content: "Failed password"; program: sshd; normalize: openssh; flowbits: set, brute_force,86400; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force [10/1]"; content: "Failed password"; program: sshd; normalize; flowbits: set,brute_force,21600; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:8;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize: openssh; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:4;) # AIX 5 has a tendency to log ssh connections via program: syslog :( # syslog ssh: failed login attempt for UNKNOWN_USER from 10.1.1.4 -drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/5]"; content: "ssh|3a| failed login attempt"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:8;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/1]"; content: "ssh|3a| failed login attempt"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:9;) # Added by Robert Nunley - 02/20/2014 (rnunley@quadrantsec.com) diff -Nru sagan-rules-10222015/openvpn.rules sagan-rules-20160923/openvpn.rules --- sagan-rules-10222015/openvpn.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/openvpn.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan openvpn.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/oracle.rules sagan-rules-20160923/oracle.rules --- sagan-rules-10222015/oracle.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/oracle.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan oracle.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,5 +28,6 @@ # 34: Audit trail: LENGTH: "351" SESSIONID:[9] "269111111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[8] "XXXXXXX" USERHOST:[17] "XXXX\XXXX-XXXXX" TERMINAL:[12] "XXXX-XXXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004821111" . # 34: Audit trail: LENGTH: "358" SESSIONID:[9] "269811111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[14] "XXXXXXXXZZZZZZ" USERHOST:[17] "XXXX\XXXX-XXXXXX" TERMINAL:[12] "XXXXX-XXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004827967" . -alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg: "[ORACLE] Authentication Failure"; content: "RETURNCODE|3a|[4] |22|1017|22|"; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001717; sid: 5001717; rev: 2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg: "[ORACLE] Authentication Failure"; content: "RETURNCODE|3a|[4] |22|1017|22|"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001717; sid:5001717; rev: 3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg: "[ORACLE] Brute force authentication failure [5/1]"; content: "RETURNCODE|3a|[4] |22|1017|22|"; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; flowbits: set,brute_force,21600; classtype: unsuccessful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002949; sid:5002949; rev: 1;) diff -Nru sagan-rules-10222015/ossec-mi.rules sagan-rules-20160923/ossec-mi.rules --- sagan-rules-10222015/ossec-mi.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ossec-mi.rules 2016-09-21 02:52:28.000000000 +0000 @@ -2,7 +2,7 @@ ## OSSEC SAGAN RULES (autogenerated) ## ## Sagan is: -## Copyright (c) 2009-2015, Quadrant Information Security +## Copyright (c) 2009-2016, Quadrant Information Security ## All rights reserved. ## ## Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ossec.rules sagan-rules-20160923/ossec.rules --- sagan-rules-10222015/ossec.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ossec.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ossec.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/palo-alto.rules sagan-rules-20160923/palo-alto.rules --- sagan-rules-10222015/palo-alto.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/palo-alto.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,96 @@ +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# Palo Alto Rules Created by Robert Nunley (rnunley@quadrantsec.com) +# 10/23/2015 +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate has illegal URL"; content: "Certificate"; content: "has illegal URL"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002580; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Accepted SSH Connection From Outside Home Country"; content: "Accepted keyboard-interactive/pam for "; content: "ssh2"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002581; rev: 2;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] AntiVirus update job failed"; content: "AntiVirus update job failed"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002582; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Authorization failed - Brute Force [25/1] "; content: "Authorization failed for user "; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002583; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Chassis Master Alarm"; content: "Chassis Master Alarm"; classtype: hardware-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002584; rev: 2;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to connect to Panorama Server"; content: "Failed to connect to Panorama Server"; classtype: system-event; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002585; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed Interactive Login - Brute Force [15/1]"; content: "Failed keyboard-interactive/pam for invalid user"; parse_src_ip: 1; classtype: unsuccessful-user; flowbits: set,brute_force,21600; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002586; rev: 3;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to install software"; content: "Failed to install software"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002587; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] NTLM Authentication Brute Force - [25/1]"; content: "NTLM authentication failed for user"; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002588; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Successful NTLM Authentication From Outside Home Country"; content: "NTLM authentication succeeded for user"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002589; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] User Authenticated From Outside Home Country"; content: "User"; content: "authenticated"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002590; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] User Authentication - Brute Force [25/1]"; content: "User"; content: "failed authentication"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002591; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Possible Replay Attempt Caused Disconnection"; content: "Disconnecting due to possible replay attempt"; classtype: network-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002592; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] GlobalProtect Portal Authentication From Outside Home Country"; content: "GlobalProtect portal user authentication succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002593; rev: 2;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] PPPoE Session Connected For User Outside Home Country; content: "PPPoE session was connected for user"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002594; rev: 2;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] PPPoE Brute Force Attempt - [25/1]"; content: "PPPoE session failed to connect"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002595; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN User Authentication Failure - Brute Force [25/1]"; content: "SSL VPN user authentication failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002596; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Authentication From Outside Home Country"; content: "SSL VPN user authentication succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002597; rev: 2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Login - Brute Force [25/1]"; content: "SSL VPN user login failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002598; rev: 3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Login From Outside Home Country"; content: "SSL VPN user login succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002599; rev: 1;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate is revoked"; content: "Certificate"; content: "is revoked"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002600; rev: 1;) + + +#####Below Contributed by ~Cyber.Tao.Flow~ +#####Uses paloalto-normalize.rulebase + +########URLZ + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Malware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",malware-sites,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002749; priority: 3; rev: 4;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Phishing URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",phishing-and-other-frauds,"; threshold: type limit, count 1, seconds 600, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002750; priority: 2; rev: 3;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Spyware or Adware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002751; priority: 3; rev: 3;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url Blocked by policy or category"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:!",malware-sites,"; content:!",phishing-and-other-frauds,"; content:!",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_dst; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002752; pri: 3;rev:3;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Foreign URL of unknown category"; content:"THREAT,url"; content:",unknown,"; normalize; parse_port;threshold: type limit, count 1, seconds 3600, track by_dst; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_dst, isnot $HOME_COUNTRY; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid:5002753; pri: 3;rev:2;) +##### +##### Following rule is used in conjunction with meta_content variable IGNOREDL and set silent flowbits which are checked in rule 5002762 + +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url silent flowbit set"; content:",THREAT,url,"; content:!",block-url,"; meta_content: "%sagan%",$IGNOREDL; meta_nocase; flowbits:set,downloadnolog,60; flowbits:noalert; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002754; pri: 3; rev:3;) + +#####VIRI + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Virus Detected"; content:"THREAT,virus"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,threatvault.paloaltonetworks.com; sid: 5002755; pri: 1;rev:2;) + +#####VULNZPloitZ By Direction + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external,/i"; content:",critical,"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002756; pri: 1; rev: 2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",critical,"; normalize; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002757; pri: 1; rev: 3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002758; pri: 2; rev: 2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002759; pri: 2; rev: 2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i";; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002760; pri: 3; rev: 2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Outbound"; content:"THREAT,vulnerability";pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002761; pri: 3; rev: 2;) + +######FILE +###Uses flowbit set in rule 5002754. Only enable after setting IGNOREDL domains for meta_content. + +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Executable File Download"; content:"THREAT,file"; pcre: "/Microsoft PE File|Windows Executable/i"; flowbits: isnotset,both,downloadnolog; content:!"ms-update"; content:!"adobe-update"; content:!"google-update"; content:!"java-update"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-filename-detect; sid:5002762; priority: 3; rev: 5;) +### + +######Spyware DNS + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Suspicious DNS Request"; content:"THREAT,spyware,"; content:",Suspicious DNS Query"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-event; threshold: type limit, track by_src, count 5, seconds 1800; reference: url,threatvault.paloaltonetworks.com; sid:5002763; pri: 2; rev: 4;) diff -Nru sagan-rules-10222015/php.rules sagan-rules-20160923/php.rules --- sagan-rules-10222015/php.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/php.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan php.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/postfix.rules sagan-rules-20160923/postfix.rules --- sagan-rules-10222015/postfix.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/postfix.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan postfix.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/postgresql.rules sagan-rules-20160923/postgresql.rules --- sagan-rules-10222015/postgresql.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/postgresql.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan postgresql.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/pptp.rules sagan-rules-20160923/pptp.rules --- sagan-rules-10222015/pptp.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/pptp.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan pptp.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/procurve-normalize.rulebase sagan-rules-20160923/procurve-normalize.rulebase --- sagan-rules-10222015/procurve-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/procurve-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,31 +0,0 @@ -# Sagan procurve-normalize.rules -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -#prefix= -#FFI: port 14 - Security Violation -#rule=: port %-:number% - Security Violation - diff -Nru sagan-rules-10222015/procurve.rules sagan-rules-20160923/procurve.rules --- sagan-rules-10222015/procurve.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/procurve.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan procurve.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,7 +33,7 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Invalid username/password"; program: auth; content:"Invalid user name/password"; classtype: unsuccessful-user; sid:5001120; reference: url,wiki.quadrantsec.com/bin/view/Main/5001120; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] port is off-line"; program: ports; content:"is now off-line; classtype: network-event; sid: 5001121; reference: url,wiki.quadrantsec.com/bin/view/Main/5001121; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] System went down:"; program: system; content:"System went down:"; classtype: network-event; sid: 5001122; reference: url,wiki.quadrantsec.com/bin/view/Main/5001122; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Port Security Violation"; program: FFI; pcre: "/Security Violation/i"; normalize: procurve; classtype: policy-violation; sid: 5001123; reference: url,wiki.quadrantsec.com/bin/view/Main/5001123; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Port Security Violation"; program: FFI; pcre: "/Security Violation/i"; normalize; classtype: policy-violation; sid: 5001123; reference: url,wiki.quadrantsec.com/bin/view/Main/5001123; rev:2;) # The "program" becomes the alert ID. So no "content:" is needed - Champ Clark III 06/25/2012 diff -Nru sagan-rules-10222015/proftpd-aetas.rules sagan-rules-20160923/proftpd-aetas.rules --- sagan-rules-10222015/proftpd-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/proftpd-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan proftpd-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/proftpd-bluedot.rules sagan-rules-20160923/proftpd-bluedot.rules --- sagan-rules-10222015/proftpd-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/proftpd-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,31 @@ +# Sagan proftpd-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD-BLUEDOT] Authentication success from suspicious source"; content: "Login successful"; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; parse_src_ip: 3; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002908; sid:5002908; rev:2;) + + + diff -Nru sagan-rules-10222015/proftpd-geoip.rules sagan-rules-20160923/proftpd-geoip.rules --- sagan-rules-10222015/proftpd-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/proftpd-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan proftpd-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/proftpd.rules sagan-rules-20160923/proftpd.rules --- sagan-rules-10222015/proftpd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/proftpd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan proftpd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,8 +27,8 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Session opened"; content: "FTP session opened"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000078; sid: 5000078; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Session closed"; content: "FTP session closed"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000079; sid: 5000079; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5]"; content: "no such user"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000080; sid: 5000080; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5]"; pcre: "/Incorrect password|Login failed/i"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000081; sid: 5000081; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5]"; content: "no such user"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000080; sid: 5000080; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5]"; pcre: "/Incorrect password|Login failed/i"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000081; sid: 5000081; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Authentication success"; content: "Login successful"; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000082; sid: 5000082; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Connection refused by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000083; sid: 5000083; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Small PassivePorts range in config file"; content: "unable to find open port in PassivePorts range"; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000084; sid: 5000084; rev:2;) @@ -45,3 +45,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Unable to bind to address" ; content: "listen"; content: "failed in"; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000094; sid:5000094; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[PROFTPD] User logged into an disabled account"; content: "Login successful"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000413; program: sshd; sid: 5000413; rev:2;) +# Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROFTP] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; parse_src_ip: 3; program: proftpd; classtype: suspicious-traffic; reference: blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002951; sid:5002951; rev: 2;) + diff -Nru sagan-rules-10222015/proxy-malware.rules sagan-rules-20160923/proxy-malware.rules --- sagan-rules-10222015/proxy-malware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/proxy-malware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan proxy-malware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/pure-ftpd.rules sagan-rules-20160923/pure-ftpd.rules --- sagan-rules-10222015/pure-ftpd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/pure-ftpd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan pure-ftpd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -33,3 +33,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] FTP Authentication successful"; pcre: "/[INFO] \S+ is now logged in/"; classtype: successful-user; program: pure-ftpd; reference : url,wiki.quadrantsec.com/bin/view/Main/5000222; sid: 5000222; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[PUREFTPD] User logged into an disabled account"; pcre: "/[INFO] \S+ is now logged in/";; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000414; program: sshd; sid: 5000414; rev:2;) +# Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUREFTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; program: pure-ftpd; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002952; sid:5002952; rev: 2;) + + diff -Nru sagan-rules-10222015/racoon.rules sagan-rules-20160923/racoon.rules --- sagan-rules-10222015/racoon.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/racoon.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan racoon.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/riverbed-aetas.rules sagan-rules-20160923/riverbed-aetas.rules --- sagan-rules-10222015/riverbed-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/riverbed-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan riverbed-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/riverbed-bluedot.rules sagan-rules-20160923/riverbed-bluedot.rules --- sagan-rules-10222015/riverbed-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/riverbed-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,31 @@ +# Sagan riverbed-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +# 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED-BLUEDOT] Administrator Login a suspicious source"; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002909; program: webasd; sid:5002909; rev:2;) + diff -Nru sagan-rules-10222015/riverbed-geoip.rules sagan-rules-20160923/riverbed-geoip.rules --- sagan-rules-10222015/riverbed-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/riverbed-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan riverbed-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/riverbed.rules sagan-rules-20160923/riverbed.rules --- sagan-rules-10222015/riverbed.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/riverbed.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan riverbed.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -36,5 +36,5 @@ # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:42:55|webasd| [web.NOTICE]: web: User bob from 10.7.8.1 with the given password is not recognized: You must provide a valid account name and password. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login Failure"; content: "password is not recognized"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002031; program: webasd; sid: 5002031; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login Failure - Brute Force [5/5]"; content: "password is not recognized"; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002033; program: webasd; sid: 5002033; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login Failure - Brute Force [5/5]"; content: "password is not recognized"; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-admin; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002033; program: webasd; sid: 5002033; rev:2;) diff -Nru sagan-rules-10222015/roundcube.rules sagan-rules-20160923/roundcube.rules --- sagan-rules-10222015/roundcube.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/roundcube.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan roundcube.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/rsync.rules sagan-rules-20160923/rsync.rules --- sagan-rules-10222015/rsync.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/rsync.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan rsync.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/sagan-sid-msg.map sagan-rules-20160923/sagan-sid-msg.map --- sagan-rules-10222015/sagan-sid-msg.map 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/sagan-sid-msg.map 2016-09-21 03:17:00.000000000 +0000 @@ -13,20 +13,20 @@ 5000012 || [BASH] /tmp/sh access || url,wiki.quadrantsec.com/bin/view/Main/5000012 5000013 || [BASH] suidperl access || url,wiki.quadrantsec.com/bin/view/Main/5000013 5000014 || [BASH] histfile=/dev/null || url,wiki.quadrantsec.com/bin/view/Main/5000014 -5000015 || [OPENSSH] PAM Authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000015 +5000015 || [OPENSSH] PAM Authentication failure - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000015 5000016 || [OPENSSH] Authentication failure - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000016 5000017 || [OPENSSH] Authentication failure for root - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000017 5000018 || [OPENSSH] Possible break-in attempt || url,wiki.quadrantsec.com/bin/view/Main/5000018 5000020 || [OPENSSH] Not executable shell - login attempt || url,wiki.quadrantsec.com/bin/view/Main/5000020 5000021 || [OPENSSH] Message send write error || url,wiki.quadrantsec.com/bin/view/Main/5000021 -5000022 || [OPENSSH] Invalid or illegal user [Brute Force] [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5000022 +5000022 || [OPENSSH] Invalid or illegal user [Brute Force] [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000022 5000023 || [OPENSSH] Out-of-Band challenge failure || url,wiki.quadrantsec.com/bin/view/Main/5000023 5000024 || [SU] SUDO user NOT in sudoers || url,wiki.quadrantsec.com/bin/view/Main/5000024 5000025 || [SU] SUDO authentication failure - Brute force [3/5] || url,wiki.quadrantsec.com/bin/view/Main/5000025 5000027 || [SU] Successful su as root || url,wiki.quadrantsec.com/bin/view/Main/5000027 5000028 || [SU] FAILED su - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000028 -5000029 || GRSEC Time set || url,wiki.quadrantsec.com/bin/view/Main/5000029 -5000030 || GRSEC Signal 11 sent || url,wiki.quadrantsec.com/bin/view/Main/5000030 +5000029 || [GRSEC] Time set || url,wiki.quadrantsec.com/bin/view/Main/5000029 +5000030 || [GRSEC] Signal 11 sent || url,wiki.quadrantsec.com/bin/view/Main/5000030 5000031 || TCP Treason uncloaked || url,wiki.quadrantsec.com/bin/view/Main/5000031 5000032 || [IPOP3D] Excessive login failures || url,wiki.quadrantsec.com/bin/view/Main/5000032 5000034 || [SENDMAIL] VRFY or EXPN root attempt || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000034 @@ -36,7 +36,7 @@ 5000038 || [MILTER] Milter error state || url,wiki.quadrantsec.com/bin/view/Main/5000038 5000039 || [MILTER] Mimedefang - No response from slave || url,wiki.quadrantsec.com/bin/view/Main/5000039 5000041 || [NTP] Permission denied error || url,wiki.quadrantsec.com/bin/view/Main/5000041 -5000042 || GRSEC Denied resource overstep || url,wiki.quadrantsec.com/bin/view/Main/5000042 +5000042 || [GRSEC] Denied resource overstep || url,wiki.quadrantsec.com/bin/view/Main/5000042 5000043 || [SQUID] TCP_DENIED || url,wiki.quadrantsec.com/bin/view/Main/5000043 5000044 || [SQUID] TCP_DENIED unsupported-request-method || url,wiki.quadrantsec.com/bin/view/Main/5000044 5000045 || [SQUID] TCP_DENIED invalid-request || url,wiki.quadrantsec.com/bin/view/Main/5000045 @@ -724,7 +724,7 @@ 5000762 || [CISCO-PIXASA] NAC Downloaded ACL parse failure || url, wiki.quadrantsec.com/bin/view/Main/5000762 5000763 || [CISCO-PIXASA] Shun add failed unable to allocate resources || url, wiki.quadrantsec.com/bin/view/Main/5000763 5000764 || [CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000764 -5000765 || [CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed authentication [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000765 +5000765 || [CISCO-PIXASA] IPSEC Received an ESP packet from remote IP to local IP that failed authentication [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000765 5000766 || [CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command || url, wiki.quadrantsec.com/bin/view/Main/5000766 5000767 || [CISCO-PIXASA] PPPoE failed to assign PPP IP address || url, wiki.quadrantsec.com/bin/view/Main/5000767 5000768 || [CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string || url, wiki.quadrantsec.com/bin/view/Main/5000768 @@ -1036,7 +1036,7 @@ 5001080 || [ARP] arpalert - MAC address flood || url,wiki.quadrantsec.com/bin/view/Main/5001080 5001081 || [ARP] arpalert - MAC address blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5001081 5001082 || [ARP] arpalert - MAC address changed || url,wiki.quadrantsec.com/bin/view/Main/5001082 -5001083 || [SONICWALL] Possible TCP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001083 +5001083 || [SONICWALL] Possible TCP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001085 5001084 || [SONICWALL] IPS Detection Alert || url,wiki.quadrantsec.com/bin/view/Main/5001084 5001085 || [SONICWALL] Possible UDP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001085 5001086 || [CISCO-PIXASA] Access denied URL || url, wiki.quadrantsec.com/bin/view/Main/5001086 @@ -1629,7 +1629,7 @@ 5001695 || [WINDOWS-AUTH] User added to Domain Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001695 5001696 || [WINDOWS-AUTH] User added to Enterprise Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001696 5001697 || [WINDOWS-AUTH] User added to Group Policy Creator Owner group || url,wiki.quadrantsec.com/bin/view/Main/5001696 -5001699 || [WEB-ATTACK] Havij SQL Injection Tool Identified || url,wiki.quadrantsec.com/bin/view/Main/5001699 +5001699 || [WEB-ATTACKS] Havij SQL Injection Tool Identified || url,wiki.quadrantsec.com/bin/view/Main/5001699 5001700 || [WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/5001700 5001701 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x || url,wiki.quadrantsec.com/bin/view/Main/5001701 5001702 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1 || url,wiki.quadrantsec.com/bin/view/Main/5001702 @@ -1735,8 +1735,8 @@ 5001802 || [WEB-ATTACKS] Hmap Webserver Fingerprint Scan || url,doc.emergingthreats.net/2008537 || url,www.ujeni.murkyroc.com/hmap/ 5001803 || [WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner || url,doc.emergingthreats.net/2008729 || url,www.scrt.ch/pages_en/minimysqlator.html 5001804 || [WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,doc.emergingthreats.net/2009882 || url,code.google.com/p/mysqloit/ -5001805 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap NSE) || url,doc.emergingthreats.net/2009359 -5001806 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) || url,doc.emergingthreats.net/2009358 +5001805 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE || url,doc.emergingthreats.net/2009359 +5001806 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine || url,doc.emergingthreats.net/2009358 5001807 || [WEB-ATTACKS] Nessus User Agent || url,doc.emergingthreats.net/2002664 || url,www.nessus.org 5001808 || [WEB-ATTACKS] Netsparker Default User-Agent || url,www.mavitunasecurity.com/communityedition/ 5001809 || [WEB-ATTACKS] Nikto Web App Scan in Progress || url,doc.emergingthreats.net/2002677 || url,www.cirt.net/code/nikto.shtml @@ -1882,7 +1882,7 @@ 5001950 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001950 5001951 || [WINDOWS-MALWARE] Black POS Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001951 5001952 || [CISCO-IOS] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001952 -5001954 || [OPENSSH] SYSLOG Authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001954 +5001954 || [OPENSSH] SYSLOG Authentication failure - Brute force [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5001954 5001955 || [FATPIPE] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001955 5001956 || [FATPIPE] Login Success - ADMINISTRATOR || url,wiki.quadrantsec.com/bin/view/Main/5001956 5001957 || [FATPIPE] Login Failed || url,wiki.quadrantsec.com/bin/view/Main/5001957 @@ -1979,7 +1979,7 @@ 5002057 || [WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002057 5002058 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2] || url, wiki.quadrantsec.com/bin/view/Main/5002058 5002059 || [CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002059 -5002060 || [CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002060 +5002060 || [CISCO-GEOIP] FTP file transfer to outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002060 5002061 || [PROXY-MALWARE] Tor2www Request || url,www.tor2www.com 5002062 || [PROXY-MALWARE] Tor2web Request || url,www.tor2web.org 5002063 || [BRO] SSH Password_Guessing [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002063 @@ -1994,11 +1994,11 @@ 5002072 || [BRO] Probable LURK0 RAT C&C Access || url,wiki.quadrantsec.com/bin/view/Main/5002072 5002073 || [BRO] Sidejacking attach detected || url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro || url,wiki.quadrantsec.com/bin/view/Main/5002073 5002074 || [BRO] Bitcoin Miner [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5002074 -5002075 || [IMAPD-GEOIP] Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002075 -5002076 || [IMAPD-GEOIP] Logout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002076 -5002077 || [IMAPD-GEOIP] Timeout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002077 -5002078 || [IMAPD-GEOIP] Disconnect from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002078 -5002079 || [IMAPD-GEOIP] Connection from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002079 +5002075 || [IMAPD-BLUEDOT] Login from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002075 +5002076 || [IMAPD-BLUEDOT] Logout from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002076 +5002077 || [IMAPD-BLUEDOT] Timeout from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002077 +5002078 || [IMAPD-BLUEDOT] Disconnect from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002078 +5002079 || [IMAPD-BLUEDOT] Connection from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002079 5002080 || [ARTILLERY] General Artillery Message || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002080 5002081 || [ARTILLERY] FTP brute force violation || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002081 5002082 || [ARTILLERY] Issue identified - Permissions not set as root || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002082 @@ -2041,59 +2041,59 @@ 5002119 || [CISCO-WLC] NetStumbler generic detected || url,wiki.quadrantsec.com/bin/view/Main/5002119 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002120 || [CISCO-WLC] Wellenreiter detected || url,wiki.quadrantsec.com/bin/view/Main/5002120 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002121 || [CISCO-WLC] Big NAV Dos attack || url,wiki.quadrantsec.com/bin/view/Main/5002121 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html -5002122 || [CISCO-PRIME] BIG NAV DOS Attack || url,wiki.quadrantsec.com/bin/view/Main/5002122 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002123 || [CISCO-PRIME] Rogue AP detect and contained || url,wiki.quadrantsec.com/bin/view/Main/5002123 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002124 || [CISCO-PRIME] Rogue AP detected exceed theshold || url,wiki.quadrantsec.com/bin/view/Main/5002124 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002125 || [CISCO-PRIME] SNMP Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002125 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002126 || [CISCO-PRIME] Authentication failure by local management user/MAC || url,wiki.quadrantsec.com/bin/view/Main/5002126 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002127 || [CISCO-PRIME] Rogue AP or ADHOC detected || url,wiki.quadrantsec.com/bin/view/Main/5002127 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002128 || [CISCO-PRIME] Rogue AP on the network! || url,wiki.quadrantsec.com/bin/view/Main/5002128 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002129 || [CISCO-PRIME] Rogue AP has been removed || url,wiki.quadrantsec.com/bin/view/Main/5002129 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002130 || [CISCO-PRIME] Internal high temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002130 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002131 || [CISCO-PRIME] Internal low temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002131 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002132 || [CISCO-PRIME] Station authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002132 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002133 || [CISCO-PRIME] Station association failure || url,wiki.quadrantsec.com/bin/view/Main/5002133 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002134 || [CISCO-PRIME] Station blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5002134 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002135 || [CISCO-PRIME] Duplicate IP address assigned to controller || url,wiki.quadrantsec.com/bin/view/Main/5002135 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002136 || [CISCO-PRIME] Possible brute force from management user! || url,wiki.quadrantsec.com/bin/view/Main/5002136 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002137 || [CISCO-PRIME] Rogue ADHOC contained || url,wiki.quadrantsec.com/bin/view/Main/5002137 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002138 || [CISCO-PRIME] Rogue AP auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002138 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002140 || [CISCO-PRIME] Trusted AP has invalid encryption || url,wiki.quadrantsec.com/bin/view/Main/5002140 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002141 || [CISCO-PRIME] Trusted AP has invalid radio policy || url,wiki.quadrantsec.com/bin/view/Main/5002141 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002142 || [CISCO-PRIME] Trusted AP has invalid SSID || url,wiki.quadrantsec.com/bin/view/Main/5002142 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002143 || [CISCO-PRIME] Trusted AP missing || url,wiki.quadrantsec.com/bin/view/Main/5002143 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002144 || [CISCO-PRIME] AP impersionation detected! || url,wiki.quadrantsec.com/bin/view/Main/5002144 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002145 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002145 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002146 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002146 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002147 || [CISCO-PRIME] MESH Console login || url,wiki.quadrantsec.com/bin/view/Main/5002147 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002148 || [CISCO-PRIME] MESH authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5002148 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002149 || [CISCO-PRIME] Shun client alert from IDS/IPS appliance! || url,wiki.quadrantsec.com/bin/view/Main/5002149 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002150 || [CISCO-PRIME] MFP anomaly detected || url,wiki.quadrantsec.com/bin/view/Main/5002150 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002151 || [CISCO-PRIME] MESH authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002151 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002152 || [CISCO-PRIME] GUEST user created on controller || url,wiki.quadrantsec.com/bin/view/Main/5002152 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002153 || [CISCO-PRIME] GUEST user authenticated || url,wiki.quadrantsec.com/bin/view/Main/5002153 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002154 || [CISCO-PRIME] GUEST user logoff || url,wiki.quadrantsec.com/bin/view/Main/5002154 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002155 || [CISCO-PRIME] SI Security trap raised! || url,wiki.quadrantsec.com/bin/view/Main/5002155 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002156 || [CISCO-PRIME] Cooling fan failure [MSE-3355] || url,wiki.quadrantsec.com/bin/view/Main/5002156 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002157 || [CISCO-PRIME] Friendly rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002157 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002158 || [CISCO-PRIME] Friendly rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002158 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002159 || [CISCO-PRIME] Unclassified rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002159 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002160 || [CISCO-PRIME] Unclassified rogue AP detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002160 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002161 || [CISCO-PRIME] Unclassified rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002161 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002162 || [CISCO-PRIME] Unclassified rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002162 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002163 || [CISCO-PRIME] Malicious rogue AP detected on the network || url,wiki.quadrantsec.com/bin/view/Main/5002163 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002164 || [CISCO-PRIME] Malicious rogue AP detected on the network contained || url,wiki.quadrantsec.com/bin/view/Main/5002164 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002165 || [CISCO-PRIME] Malicious rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002165 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002166 || [CISCO-PRIME] Malicious rogue AP || url,wiki.quadrantsec.com/bin/view/Main/5002166 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002167 || [CISCO-PRIME] Rogue ADHOC detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002167 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002168 || [CISCO-PRIME] Rogue ADHOC detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002168 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002170 || [CISCO-PRIME] Rogue AP state change || url,wiki.quadrantsec.com/bin/view/Main/5002170 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002171 || [CISCO-PRIME] Rogue detected || url,wiki.quadrantsec.com/bin/view/Main/5002171 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002172 || [CISCO-PRIME] Rogue detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002172 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002173 || [CISCO-PRIME] Rogue detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002173 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002174 || [CISCO-PRIME] Rogue auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002174 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002175 || [CISCO-PRIME] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002175 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html -5002176 || [CISCO-PRIME] WIPS Event! || url,wiki.quadrantsec.com/bin/view/Main/5002176 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002122 || [CISCO-PRIME] BIG NAV DOS Attack || url,wiki.quadrantsec.com/bin/view/Main/5002122 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002123 || [CISCO-PRIME] Rogue AP detect and contained || url,wiki.quadrantsec.com/bin/view/Main/5002123 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002124 || [CISCO-PRIME] Rogue AP detected exceed theshold || url,wiki.quadrantsec.com/bin/view/Main/5002124 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002125 || [CISCO-PRIME] SNMP Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002125 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002126 || [CISCO-PRIME] Authentication failure by local management user/MAC || url,wiki.quadrantsec.com/bin/view/Main/5002126 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002127 || [CISCO-PRIME] Rogue AP or ADHOC detected || url,wiki.quadrantsec.com/bin/view/Main/5002127 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002128 || [CISCO-PRIME] Rogue AP on the network! || url,wiki.quadrantsec.com/bin/view/Main/5002128 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002129 || [CISCO-PRIME] Rogue AP has been removed || url,wiki.quadrantsec.com/bin/view/Main/5002129 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002130 || [CISCO-PRIME] Internal high temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002130 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002131 || [CISCO-PRIME] Internal low temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002131 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002132 || [CISCO-PRIME] Station authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002132 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002133 || [CISCO-PRIME] Station association failure || url,wiki.quadrantsec.com/bin/view/Main/5002133 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002134 || [CISCO-PRIME] Station blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5002134 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002135 || [CISCO-PRIME] Duplicate IP address assigned to controller || url,wiki.quadrantsec.com/bin/view/Main/5002135 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002136 || [CISCO-PRIME] Possible brute force from management user! || url,wiki.quadrantsec.com/bin/view/Main/5002136 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002137 || [CISCO-PRIME] Rogue ADHOC contained || url,wiki.quadrantsec.com/bin/view/Main/5002137 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002138 || [CISCO-PRIME] Rogue AP auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002138 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002140 || [CISCO-PRIME] Trusted AP has invalid encryption || url,wiki.quadrantsec.com/bin/view/Main/5002140 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002141 || [CISCO-PRIME] Trusted AP has invalid radio policy || url,wiki.quadrantsec.com/bin/view/Main/5002141 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002142 || [CISCO-PRIME] Trusted AP has invalid SSID || url,wiki.quadrantsec.com/bin/view/Main/5002142 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002143 || [CISCO-PRIME] Trusted AP missing || url,wiki.quadrantsec.com/bin/view/Main/5002143 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002144 || [CISCO-PRIME] AP impersionation detected! || url,wiki.quadrantsec.com/bin/view/Main/5002144 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002145 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002145 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002146 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002146 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002147 || [CISCO-PRIME] MESH Console login || url,wiki.quadrantsec.com/bin/view/Main/5002147 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002148 || [CISCO-PRIME] MESH authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5002148 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002149 || [CISCO-PRIME] Shun client alert from IDS/IPS appliance! || url,wiki.quadrantsec.com/bin/view/Main/5002149 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002150 || [CISCO-PRIME] MFP anomaly detected || url,wiki.quadrantsec.com/bin/view/Main/5002150 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002151 || [CISCO-PRIME] MESH authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002151 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002152 || [CISCO-PRIME] GUEST user created on controller || url,wiki.quadrantsec.com/bin/view/Main/5002152 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002153 || [CISCO-PRIME] GUEST user authenticated || url,wiki.quadrantsec.com/bin/view/Main/5002153 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002154 || [CISCO-PRIME] GUEST user logoff || url,wiki.quadrantsec.com/bin/view/Main/5002154 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002155 || [CISCO-PRIME] SI Security trap raised! || url,wiki.quadrantsec.com/bin/view/Main/5002155 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002156 || [CISCO-PRIME] Cooling fan failure [MSE-3355] || url,wiki.quadrantsec.com/bin/view/Main/5002156 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002157 || [CISCO-PRIME] Friendly rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002157 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002158 || [CISCO-PRIME] Friendly rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002158 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002159 || [CISCO-PRIME] Unclassified rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002159 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002160 || [CISCO-PRIME] Unclassified rogue AP detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002160 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002161 || [CISCO-PRIME] Unclassified rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002161 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002162 || [CISCO-PRIME] Unclassified rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002162 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002163 || [CISCO-PRIME] Malicious rogue AP detected on the network || url,wiki.quadrantsec.com/bin/view/Main/5002163 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002164 || [CISCO-PRIME] Malicious rogue AP detected on the network contained || url,wiki.quadrantsec.com/bin/view/Main/5002164 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002165 || [CISCO-PRIME] Malicious rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002165 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002166 || [CISCO-PRIME] Malicious rogue AP || url,wiki.quadrantsec.com/bin/view/Main/5002166 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002167 || [CISCO-PRIME] Rogue ADHOC detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002167 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002168 || [CISCO-PRIME] Rogue ADHOC detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002168 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002170 || [CISCO-PRIME] Rogue AP state change || url,wiki.quadrantsec.com/bin/view/Main/5002170 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002171 || [CISCO-PRIME] Rogue detected || url,wiki.quadrantsec.com/bin/view/Main/5002171 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002172 || [CISCO-PRIME] Rogue detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002172 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002173 || [CISCO-PRIME] Rogue detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002173 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002174 || [CISCO-PRIME] Rogue auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002174 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002175 || [CISCO-PRIME] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002175 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html +5002176 || [CISCO-PRIME] WIPS Event! || url,wiki.quadrantsec.com/bin/view/Main/5002176 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002177 || [OPENSSH-CORRELATED] SSH login success after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002176 5002178 || [OPENSSH-CORRELATED] Accepted publickey after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002178 5002179 || [BASH] Remote execution attempt via CVE-2014-6271 || url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 || url,wiki.quadrantsec.com/bin/view/Main/5002179 @@ -2238,7 +2238,7 @@ 5002337 || [WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002337 5002338 || [WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002338 5002339 || [WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002339 -5002340 || [WINDOWS-GEOIP] Explicit Windows Logon || url,wiki.quadrantsec.com/bin/view/Main/5002340 +5002340 || [WINDOWS-GEOIP] Attempted explicit windows logon || url,wiki.quadrantsec.com/bin/view/Main/5002340 5002341 || [CITRIX-BLUEDOT] Login from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002341 || url,support.citrix.com/article/CTX123875 5002342 || [CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002342 || url,support.citrix.com/article/CTX123875 5002343 || [CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002343 || url,support.citrix.com/article/CTX123875 @@ -2369,7 +2369,7 @@ 5002468 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002468 5002469 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002469 5002470 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002470 -5002471 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002471 +5002471 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] 5002472 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002472 5002473 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002473 5002475 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002475 @@ -2477,6 +2477,379 @@ 5002577 || [CYLANCE] Threat - Found || url,wiki.quadrantsec.com/bin/view/Main/5002577 5002578 || [CYLANCE] Threat - Quarantined || url,wiki.quadrantsec.com/bin/view/Main/5002578 5002579 || [CYLANCE] Threat - Removed || url,wiki.quadrantsec.com/bin/view/Main/5002579 +5002580 || [PALO-ALTO] Certificate has illegal URL || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002581 || [PALO-ALTO] Accepted SSH Connection From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002582 || [PALO-ALTO] AntiVirus update job failed || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002583 || [PALO-ALTO] Authorization failed - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002584 || [PALO-ALTO] Chassis Master Alarm || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002585 || [PALO-ALTO] Failed to connect to Panorama Server || url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002586 || [PALO-ALTO] Failed Interactive Login - Brute Force [15/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002587 || [PALO-ALTO] Failed to install software || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002588 || [PALO-ALTO] NTLM Authentication Brute Force - [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002589 || [PALO-ALTO] Successful NTLM Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002590 || [PALO-ALTO] User Authenticated From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002591 || [PALO-ALTO] User Authentication - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002592 || [PALO-ALTO] Possible Replay Attempt Caused Disconnection || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002593 || [PALO-ALTO] GlobalProtect Portal Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002594 || [PALO-ALTO] PPPoE Session Connected For User Outside Home Country; content: "PPPoE session was connected for user || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002595 || [PALO-ALTO] PPPoE Brute Force Attempt - [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002596 || [PALO-ALTO] SSL VPN User Authentication Failure - Brute Force [25/1] || url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002597 || [PALO-ALTO] SSL VPN Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002598 || [PALO-ALTO] SSL VPN Login - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002599 || [PALO-ALTO] SSL VPN Login From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002600 || [PALO-ALTO] Certificate is revoked || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx +5002601 || [SONICWALL] Possible restart for system maintenance || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002602 || [SONICWALL] Auto-Dial Failure || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002603 || [SONICWALL] Ethernet Port Down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002604 || [SONICWALL] Ethernet Port Up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002605 || [SONICWALL] Registration Update Needed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002606 || [SONICWALL] 3G Device Detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002607 || [SONICWALL] 3G Data Limit Reached || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002608 || [SONICWALL] No 3G Sim Card Detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002609 || [SONICWALL] Preferences File Inaccessable || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002610 || [SONICWALL] OS Upgrade Performed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002611 || [SONICWALL] Attempted access from host out of compliance with GSC policy || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002612 || [SONICWALL] Access attempt from host without Anti-Virus agent installed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002613 || [SONICWALL] Security Services || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002614 || [SONICWALL] Firewall Rule Added || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002615 || [SONICWALL] Firewall Rule Deleted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002616 || [SONICWALL] Firewall Rule Modified || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002617 || [SONICWALL] Firewall Rule reset to defaults || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002618 || [SONICWALL] Network Access to proxy server denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002619 || [SONICWALL] ActiveX access denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002620 || [SONICWALL] ActiveX or Java archive access denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002621 || [SONICWALL] Successful Administrator Access || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002622 || [SONICWALL] Administrator Access denied due to bad credentials || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002623 || [SONICWALL] Administrator Access not allowed on this interface || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002624 || [SONICWALL] Administrator Account Name Changed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002625 || [SONICWALL] Firewall preferences reset to factory defaults || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002626 || [SONICWALL] Allowed LDAP server certificate with wrong host name || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002627 || [SONICWALL] Possible Intrusion detection - Anti-Spyware detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002628 || [SONICWALL] Possible Intrusion detection - Anti-Spyware detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002629 || [SONICWALL] Intrusion Detection - Suspicious Application detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002630 || [SONICWALL] Intrusion Detection - Suspicious Application detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002631 || [SONICWALL] ASOC Flood detected from WLAN station || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002632 || [SONICWALL] Intrusion Detection - Back Orifice Attack Dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002633 || [SONICWALL] High Availability - Backup active || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002634 || [SONICWALL] High Availability/Failover - Backup Firewall Active || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002635 || [SONICWALL] High Availability/Failover - Backup Firewall transitioned to idle || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002636 || [SONICWALL] High Availability - Backup Firewall Rebooting || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002637 || [SONICWALL] High Availability - Backup WAN link down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002638 || [SONICWALL] VPN PKI - Bad CRL format || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002639 || [SONICWALL] VPN PKI - Blacklisted Certificate || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002640 || [SONICWALL] Administrator Login - Commandline login successful || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002641 || [SONICWALL] Administrator login failed due to bad credentials || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002642 || [SONICWALL] Firewall event - Diagnostic Reboot || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002643 || [SONICWALL] Firewall Hardware Diagnostic Code A || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002644 || [SONICWALL] Firewall Hardware Diagnostic Code B || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002645 || [SONICWALL] Firewall Hardware Diagnostic Code C || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002646 || [SONICWALL] Firewall Hardware Diagnostic Code D || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002647 || [SONICWALL] Firewall Hardware Diagnostic Code E || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002648 || [SONICWALL] Firewall Hardware Diagnostic Code F || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002649 || [SONICWALL] Firewall Hardware Diagnostic Code G || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002650 || [SONICWALL] Firewall Hardware Diagnostic Code H || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002651 || [SONICWALL] Firewall Hardware Diagnostic Code I || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002652 || [SONICWALL] Firewall Hardware Diagnostic Code J || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002653 || [SONICWALL] Intrusion Detection Non-Sonicpoint WLAN traffic dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002654 || [SONICWALL] Error initializing Hardware acceleration for VPN || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002655 || [SONICWALL] High Availability - Error rebooting peer firewall || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002656 || [SONICWALL] High Availability - Error setting up IP address of the backup || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002657 || [SONICWALL] Security Services - License Sync Failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002658 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002659 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002660 || [SONICWALL] WLAN IDS - Rouge Access Point || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002661 || [SONICWALL] Intrusion Detection - Fraudulent Microsoft Certificate || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002662 || [SONICWALL] FTP - Login Failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002663 || [SONICWALL] Network Access - Dropped access from non-default port || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002664 || [SONICWALL] Intrusion Detection - Bounce attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002665 || [SONICWALL] Intrusion Detection - Spoof attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002666 || [SONICWALL] Guest account created || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002667 || [SONICWALL] Guest account deleted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002668 || [SONICWALL] Guest account disabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002669 || [SONICWALL] Guest account pruned || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002670 || [SONICWALL] Guest account re-enabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002671 || [SONICWALL] Guest account re-generated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002672 || [SONICWALL] Heartbeat detected from incompatable source || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002673 || [SONICWALL] HTTP management port has changed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002674 || [SONICWALL] Wireless - Unauthorized user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002675 || [SONICWALL] Possible IP spoof detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002676 || [SONICWALL] Possible IP spoof dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002677 || [SONICWALL] IPS Detection Alert || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002678 || [SONICWALL] IPS Prevention Alert || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002679 || [SONICWALL] Intrusion Detection - Land attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002680 || [SONICWALL] Intrusion Detection - removed from FIN flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002681 || [SONICWALL] Intrusion Detection - removed from RST flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002682 || [SONICWALL] Intrusion Detection - removed from SYN flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002683 || [SONICWALL] Firewall logging - Maximum events per second threshold exceeded || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002684 || [SONICWALL] PPP dialup - Maximum sequential failed dial attempts || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002685 || [SONICWALL] Firewall logging - Maximum syslog data per second threshold exceeded || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002686 || [SONICWALL] Multiple DHCP servers detected on network || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002687 || [SONICWALL] Intrusion Detection - Net Spy attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002688 || [SONICWALL] Intrusion Detection - NetBus attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002689 || [SONICWALL] Wireless - Packet dropped by WLAN || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002690 || [SONICWALL] No firewall rule exists for VPN policy || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002691 || [SONICWALL] Intrusion Detection - Ping of Death dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002692 || [SONICWALL] Intrusion Detection - Possible DNS rebind attack detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002693 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002694 || [SONICWALL] Intrusion Detection - Possible port scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002695 || [SONICWALL] Intrusion Detection - Possible RST Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002696 || [SONICWALL] Intrusion Detection - Possible SYN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002697 || [SONICWALL] Intrusion Detection - Priority attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002698 || [SONICWALL] Intrusion Detection - Probable port scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002699 || [SONICWALL] Intrusion Detection - Probable TCP FIN scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002700 || [SONICWALL] Intrusion Detection - Probable TCP NULL scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002701 || [SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002702 || [SONICWALL] Wan Failover - Possible recon attempt || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002703 || [SONICWALL] Wan Failover - Recon attempt || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002704 || [SONICWALL] Firewall Hardware - Clock battery has failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002705 || [SONICWALL] Wan Failover - Possible recon || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002706 || [SONICWALL] Sonicwall License Expired || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002707 || [SONICWALL] Firewall rebooting || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002708 || [SONICWALL] Intrusion Detection - RIPper attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002709 || [SONICWALL] Intrusion Detection - RST Flood Blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002710 || [SONICWALL] Intrusion Detection - RST Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002711 || [SONICWALL] Intrusion Detection - Senna Spy attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002712 || [SONICWALL] Firewall activated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002713 || [SONICWALL] Firewall starting up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002714 || [SONICWALL] SonicWALL SSO agent is down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002715 || [SONICWALL] SonicWALL SSO agent is up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002716 || [SONICWALL] Domain name too long || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002717 || [SONICWALL] SSO agent returned error || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002718 || [SONICWALL] User name too long || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002719 || [SONICWALL] Intrusion Detection - Source routed IP packet dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002720 || [SONICWALL] Intrusion Detection - Spank attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002721 || [SONICWALL] VPN policy enforced || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002722 || [SONICWALL] Intrusion Detection - Striker attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002723 || [SONICWALL] Intrusion Detection - Sub Seven attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002724 || [SONICWALL] Intrusion Detection - SYN Flood blacklisting enabled by user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002725 || [SONICWALL] Intrusion Detection - SYN flood ceased or flooding machines blacklisted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002726 || [SONICWALL] Intrusion Detection - SYN Flood Mode changed by user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002727 || [SONICWALL] System clock manually updated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002728 || [SONICWALL] Intrusion Detection - TCP Xmas Tree dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002729 || [SONICWALL] Virtual Access Point is disabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002730 || [SONICWALL] Virtual Access Point is enabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002731 || [SONICWALL] Hardware failure - Voltages Out of Tolerance || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002732 || [SONICWALL] WLAN firmware image has been updated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002733 || [SONICWALL] Radio frequency threat detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002734 || [SONICWALL] WLAN sequence number out of order - sequencing error/EMF interference/rogue AP || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf +5002735 || [YUBIKEY] Invalid OTP || url,wiki.quadrantsec.com/bin/view/Main/5002735 +5002736 || [WEB-ATTACKS] RFI Attempt || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002737 || [WEB-ATTACKS] Possible LFI Attempt || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002740 || [WEB-ATTACKS] Attempt to Access Default Cacti Login Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002741 || [WEB-ATTACKS] Attempt to Access PHPMyAdmin Changelog Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002742 || [WEB-ATTACKS] Attempt to Access robots.txt File || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002743 || [WEB-ATTACKS] Possible SQL Injection || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002744 || [WEB-ATTACKS] Attempt to Access Default Drupal DB Config File || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002745 || [WEB-ATTACKS] Attempt to Access Default Joomla Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002746 || [WEB-ATTACKS] Attempt to Access PHP Timeclock Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002747 || [WEB-ATTACKS] Attempt to Access default DeV!L`s ClanPortal Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002748 || [WEB-ATTACKS] Attempt to Access IISamples Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html +5002749 || [PALO-ALTO] Malware URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php +5002750 || [PALO-ALTO] Phishing URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php +5002751 || [PALO-ALTO] Spyware or Adware URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php +5002752 || [PALO-ALTO] Url Blocked by policy or category || url,www.brightcloud.com/tools/url-ip-lookup.php +5002753 || [PALO-ALTO] Foreign URL of unknown category || url,www.brightcloud.com/tools/url-ip-lookup.php +5002754 || [PALO-ALTO] Url silent flowbit set || url,www.brightcloud.com/tools/url-ip-lookup.php +5002755 || [PALO-ALTO] Virus Detected || url,threatvault.paloaltonetworks.com +5002756 || [PALO-ALTO] Critical Severity Exploit Inbound || url,threatvault.paloaltonetworks.com +5002757 || [PALO-ALTO] Critical Severity Exploit Outbound || url,threatvault.paloaltonetworks.com +5002758 || [PALO-ALTO] High Severity Exploit Inbound || url,threatvault.paloaltonetworks.com +5002759 || [PALO-ALTO] High Severity Exploit Outbound || url,threatvault.paloaltonetworks.com +5002760 || [PALO-ALTO] Medium Severity Exploit Inbound || url,threatvault.paloaltonetworks.com +5002761 || [PALO-ALTO] Medium Severity Exploit Outbound || url,threatvault.paloaltonetworks.com +5002762 || [PALO-ALTO] Executable File Download +5002763 || [PALO-ALTO] Suspicious DNS Request || url,threatvault.paloaltonetworks.com +5002764 || [FIPAYPIN] Connection failed to Fipay [5/2] || url,wiki.quadrantsec.com/bin/view/Main/sid:5002764 +5002765 || [FIPAYPIN] Slow send! || url,wiki.quadrantsec.com/bin/view/Main/sid:5002765 +5002766 || [FIPAYPIN] Invalid credit card detected || url,wiki.quadrantsec.com/bin/view/Main/sid:5002766 +5002767 || [FIPAYPIN] Bad/No Pin Block and KSN returned || url,wiki.quadrantsec.com/bin/view/Main/sid:5002767 +5002768 || [FIPAYPIN] Blocked the response to POS || url,wiki.quadrantsec.com/bin/view/Main/sid:5002768 +5002769 || [FIPAYPIN] Failed to open pinpad [0/2] || url,wiki.quadrantsec.com/bin/view/Main/sid:5002769 +5002770 || [FIPAYPIN] Replace macro from outside RFC1918 || url,wiki.quadrantsec.com/bin/view/Main/sid:5002770 +5002771 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - system || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 +5002772 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - username || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 +5002773 || [ScreenOS-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country || url, wiki.quadrantsec.com/bin/view/Main/5002773 || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search +5002774 || [ScreenOS] Juniper ScreenOS Admin Login From a Malicious IP || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 +5002775 || [WINDOWS-MISC] Domain policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5002775 +5002776 || [F5-BIG-IP-GEOIP] Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002776 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002777 || [F5-BIG-IP-GEOIP] Command-line Logout from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002777 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002778 || [F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002778 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002779 || [F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002779 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002780 || [F5-BIG-IP-GEOIP] Successful Configuration Utility Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002780 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002781 || [F5-BIG-IP-GEOIP] Unsuccessful Configuration Utility Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002781 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002782 || [Barracuda] Last Auto Backup Time Changed || url,wiki.quadrantsec.com/bin/view/Main/5002782 +5002783 || [Barracuda] Spyware Exploit || url,wiki.quadrantsec.com/bin/view/Main/5002783 +5002784 || [Barracuda] AdWare Win32 Agent || url,wiki.quadrantsec.com/bin/view/Main/5002784 +5002785 || [Barracuda] Login || url,wiki.quadrantsec.com/bin/view/Main/5002785 +5002786 || [Barracuda] Failed Login || url,wiki.quadrantsec.com/bin/view/Main/5002786 +5002787 || [Barracuda] Spyware Filter Change || url,wiki.quadrantsec.com/bin/view/Main/5002787 +5002788 || [Barracuda] Snort Enabled || url,wiki.quadrantsec.com/bin/view/Main/5002788 +5002789 || [Barracuda] Ipoque Enabled || url,wiki.quadrantsec.com/bin/view/Main/5002789 +5002790 || [Barracuda] Failed Login Log Change || url,wiki.quadrantsec.com/bin/view/Main/5002790 +5002791 || [Barracuda] Change to URL Whitelist || url,wiki.quadrantsec.com/bin/view/Main/5002791 +5002792 || [Barracuda] Change to URL Blacklist || url,wiki.quadrantsec.com/bin/view/Main/5002792 +5002793 || [Barracuda] Policy Block Change || url,wiki.quadrantsec.com/bin/view/Main/5002793 +5002794 || [Barracuda] User Password Changed || url,wiki.quadrantsec.com/bin/view/Main/5002794 +5002795 || [Barracuda] System Password Changed || url,wiki.quadrantsec.com/bin/view/Main/5002795 +5002796 || [Barracuda] System Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5002796 +5002797 || [Trendmicro] Virus Found Unable to Quarantine || url,wiki.quadrantsec.com/bin/view/Main/5002797 +5002798 || [BRO] RFC1918 address scanning the network || url,wiki.quadrantsec.com/bin/view/Main/5002798 +5002799 || [WINDOWS-SYSMON] PSExec execution detected || url,wiki.quadrantsec.com/bin/view/Main/sid:5002799 +5002801 || [WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected. || url,decrypter.emsisoft.com || url,wiki.quadrantsec.com/bin/view/Main/5002801 +5002802 || [WINDOWS-SYSMON] Locky ransomware instructions detected! || url,wiki.quadrantsec.com/bin/view/Main/sid:5002802 +5002803 || [WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware || url,wiki.quadrantsec.com/bin/view/Main/sid:5002803 +5002804 || [WINDOWS-MALWARE] Locky ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002804 || url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ +5002805 || [WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002805 || url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4 +5002806 || [WINDOWS-MALWARE] Cryptowall ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002806 +5002807 || [WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected. || url,decrypter.emsisoft.com || url,wiki.quadrantsec.com/bin/view/Main/5002807 || url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/ +5002808 || [WINDOWS-MALWARE] TeslaCrypt ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002808 || url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus +5002809 || [WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected. || url,wiki.quadrantsec.com/bin/view/Main/5002809 || url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/ +5002810 || [WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete || url,wiki.quadrantsec.com/bin/view/Main/sid:5002810 +5002811 || [WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID || url,wiki.quadrantsec.com/bin/view/Main/sid:5002811 +5002812 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber || url,wiki.quadrantsec.com/bin/view/Main/sid:5002812 +5002813 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version || url,wiki.quadrantsec.com/bin/view/Main/sid:5002813 +5002814 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber || url,wiki.quadrantsec.com/bin/view/Main/sid:5002814 +5002815 || [WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name || url,wiki.quadrantsec.com/bin/view/Main/sid:5002815 +5002816 || [WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model || url,wiki.quadrantsec.com/bin/view/Main/sid:5002816 +5002817 || [WINDOWS-MISC] Installation of service via SCM || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002817 +5002818 || [WINDOWS-MISC] Installation of new service via Security Audit || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002818 +5002819 || [WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002819 +5002820 || [WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002820 +5002821 || [WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected. || url, https://github.com/hasherezade/malware_analysis/tree/master/7ev3n || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002821 +5002822 || [WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected. || url,noransom.kaspersky.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002822 +5002823 || [WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002823 +5002824 || [WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002824 +5002825 || [WINDOWS-MALWARE] Coverton ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002825 +5002826 || [WINDOWS-MALWARE] CryptInfinite ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002826 +5002827 || [WINDOWS-MALWARE] CryptInfinite ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002827 +5002828 || [WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002828 +5002829 || [WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002829 +5002830 || [WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002830 +5002831 || [WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002831 +5002832 || [WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A || url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002832 +5002833 || [WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002833 +5002834 || [WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002834 +5002835 || [WINDOWS-MALWARE] KimcilWare ransomware extension detected. || url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002835 +5002836 || [WINDOWS-MALWARE] LeChiffre ransomware extension detected. || url,decrypter.emsisoft.com/lechiffre || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002836 +5002837 || [WINDOWS-MALWARE] Magic ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002837 +5002838 || [WINDOWS-MALWARE] MireWare ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002838 +5002839 || [WINDOWS-MALWARE] Nemucod ransomware extension detected. || url,github.com/Antelox/NemucodFR || url,decrypter.emsisoft.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002839 +5002840 || [WINDOWS-MALWARE] Offline ransomware ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002840 +5002841 || [WINDOWS-MALWARE] OMG! ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002841 +5002842 || [WINDOWS-MALWARE] Radamant ransomware extension detected. || url,decrypter.emsisoft.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002842 +5002843 || [WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected. || url,support.kaspersky.com/us/viruses/disinfection/10556 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002843 +5002844 || [WINDOWS-MALWARE] RemindMe ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002844 +5002845 || [WINDOWS-MALWARE] Rokku ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002845 +5002846 || [WINDOWS-MALWARE] Samas-Samsam ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002846 +5002847 || [WINDOWS-MALWARE] LowLevel04 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002847 +5002848 || [WINDOWS-MALWARE] Sanction ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002848 +5002849 || [WINDOWS-MALWARE] Sport ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002849 +5002850 || [WINDOWS-MALWARE] Surprise ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002850 +5002851 || [WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected. || url,www.talosintel.com/teslacrypt_tool || url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002851 +5002852 || [WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002852 +5002853 || [WINDOWS-MALWARE] Troldesh ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002853 +5002854 || [WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002854 +5002855 || [WINDOWS-MALWARE] Virus-Encoder ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002855 +5002856 || [WINDOWS-MALWARE] Xorist ransomware extension detected. || url,support.kaspersky.com/viruses/disinfection/2911 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002856 +5002857 || [WINDOWS-MALWARE] XRTN ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002857 +5002858 || [WINDOWS-MALWARE] CryptFIle2 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002858 +5002859 || [WINDOWS-MALWARE] Cryaki ransomware extension detected. || url,support.kaspersky.com/viruses/disinfection/8547 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002859 +5002860 || [WINDOWS-MALWARE] CTB-Locker ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002860 +5002861 || [WINDOWS-MALWARE] El-Polocker ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002861 +5002862 || [WINDOWS-MALWARE] Mobef ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002862 +5002863 || [WINDOWS-MALWARE] Alpha ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002863 +5002864 || [WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002864 +5002865 || [WINDOWS-MALWARE] Zeta ransomware note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002865 +5002866 || [WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002866 +5002867 || [WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002867 +5002868 || [CISCO-BLUEDOT] Suspicious TCP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002868 +5002869 || [CISCO-BLUEDOT] Suspicious UDP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002869 +5002870 || [CISCO-BLUEDOT] VPN Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002870 +5002871 || [CISCO-BLUEDOT] Console login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002871 +5002872 || [CISCO-BLUEDOT] Login permitted from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002872 +5002873 || [CISCO-BLUEDOT] VPN login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002873 +5002874 || [CISCO-BLUEDOT] VPN disconnect from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002874 +5002875 || [CISCO-BLUEDOT] VPN/AnyConnect login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002875 +5002876 || [CISCO-BLUEDOT] ACS Login success from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002876 +5002877 || [CISCO-BLUEDOT] VPN login from suspicious source [2] || url, wiki.quadrantsec.com/bin/view/Main/5002877 +5002878 || [CISCO-BLUEDOT] FTP file transfer from or to suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002878 +5002879 || [CISCO-BLUEDOT] Suspicious ICMP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002879 +5002880 || [CISCO-BLUEDOT] Suspicious GRE connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002880 +5002881 || [FORTINET-BLUEDOT] Login accepted from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002881 +5002882 || [FORTINET-BLUEDOT] Administrator Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002882 +5002883 || [FORTINET-BLUEDOT] Admin authentication success suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002883 +5002884 || [FORTINET-BLUEDOT] SSH traffic detected from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002884 +5002885 || [COURIER-BLUEDOT] Authentication failure from suspicius source || url,wiki.quadrantsec.com/bin/view/Main/5002885 +5002886 || [COURIER-BLUEDOT] Logout/disconnect from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002886 +5002887 || [COURIER-BLUEDOT] User login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002887 +5002888 || [COURIER-BLUEDOT] Timeout from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002888 +5002889 || [F5-BIG-IP-BLUEDOT] Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002889 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002890 || [F5-BIG-IP-BLUEDOT] Command-line Logout from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002890 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002891 || [F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002891 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002892 || [F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002892 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002893 || [F5-BIG-IP-BLUEDOT] Successful Configuration Utility Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002893 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002894 || [F5-BIG-IP-BLUEDOT] Unsuccessful Configuration Utility Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002894 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002895 || [FATPIPE-BLUEDOT] Login Success from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002895 +5002896 || [FATPIPE-BLUEDOT] Login Success - ADMINISTRATOR - from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002896 +5002897 || [IMAPD-BLUEDOT] Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002897 +5002898 || [IMAPD-BLUEDOT] Logout from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002898 +5002899 || [IMAPD-BLUEDOT] Timeout from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002899 +5002900 || [IMAPD-BLUEDOT] Disconnect from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002900 +5002901 || [IMAPD-BLUEDOT] Connection from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002901 +5002902 || [JUNIPER-BLUEDOT] VPN Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002902 +5002903 || [JUNIPER-BLUEDOT] VPN Logout from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002903 +5002904 || [ScreenOS-BLUEDOT] Juniper ScreenOS Admin Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002904 || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search +5002905 || [OPENSSH-BLUEDOT] Authentication success via password from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002905 +5002906 || [OPENSSH-BLUEDOT] Authentication success via publickey from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002906 +5002907 || [OPENSSH-BLUEDOT] Authentication success via keyboard from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002907 +5002908 || [PROFTPD-BLUEDOT] Authentication success from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002908 +5002909 || [RIVERBED-BLUEDOT] Administrator Login a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002909 +5002910 || [FILE-BLUEDOT] Executable Downloaded from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002910 +5002911 || [FILE-BLUEDOT] Java Downloaded from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002911 +5002912 || [FILE-BLUEDOT] Jar/Zip Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002912 +5002913 || [FILE-BLUEDOT] PDF Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002913 +5002914 || [FILE-BLUEDOT] Flash Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002914 +5002915 || [SSH-TECTIA-SERVER-BLUEDOT] Authentication success from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002915 +5002916 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002916 +5002917 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002917 +5002918 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002918 +5002919 || [VSFTPD-BLUEDOT] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002919 +5002920 || [VSFTPD-BLUEDOT] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002920 +5002921 || [BIT9] Non-System Filemods to system32 +5002922 || [BIT9] Newly Loaded Modules +5002923 || [BIT9] A new device was mounted +5002924 || [BIT9] File was executed for the first time +5002925 || [BIT9] Computer reported that signature on file is invalid +5002926 || [BIT9] Server discovered new certificate +5002927 || [BIT9] Disk configuration change detected +5002928 || [BIT9] Bit9 Agent blocked an attempt to create file +5002929 || [BIT9] Bit9 Agent blocked an attempt to delete file +5002930 || [BIT9] Permission change was blocked +5002931 || [BIT9] Modification of registry was blocked +5002932 || [BIT9] Bit9 Agent failed a health check +5002933 || [BIT9] File was identified by Bit9 Software Reputation Service as a potential risk +5002934 || [BIT9] Server detected revocation of certificate +5002935 || [BIT9] Bit9 Agent detected a problem +5002936 || [BIT9] Exclusive access to a file was blocked because of tamper protection +5002937 || [BIT9] Bit9 Agent had to rebuild its primary database cache and now has to re-initialize +5002938 || [BIT9] Computer failed to receive Notifier Logo +5002939 || [BIT9] Bit9 Agent had to restore its primary database cache +5002940 || [BLUEDOT] Suspicious file hash detected || url,wiki.quadrantsec.com/bin/view/Main/5002940 +5002941 || [WINDOWS-MISC] Suspicious event logging service shut down. || url,wiki.quadrantsec.com/bin/view/Main/5002941 +5002942 || [ASTERISK] Brute force login session failed [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002942 +5002943 || [ASTERISK] Brute force login session failed [invalid user] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002943 +5002944 || [ASTERISK] Brute force login session failed [invalid extension] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002944 +5002945 || [Barracuda] Brute force login attempt [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002945 +5002946 || [F5-BIG-IP] Brute force Attempt [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002946 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html +5002947 || [IMAPD] Brute force attack [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002947 +5002948 || [NGINX] Nginx brute force authentication attempt [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002948 +5002949 || [ORACLE] Brute force authentication failure [5/1] || url, wiki.quadrantsec.com/bin/view/Main/5002949 +5002950 || [FTPD] FTPCHK3 file accessed by user || url,blog.ftptoday.com/ftp-password-stealing-malware || url,wiki.quadrantsec.com/bin/view/Main/5002950 +5002951 || [PROFTP] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002951 || blog.ftptoday.com/ftp-password-stealing-malware +5002952 || [PUREFTPD] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002952 || url,blog.ftptoday.com/ftp-password-stealing-malware +5002953 || [VSFTPD] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002953 || url,blog.ftptoday.com/ftp-password-stealing-malware +5002954 || [WINDOWS-MISC] Event log has been cleared. || url,wiki.quadrantsec.com/bin/view/Main/5002954 +5002955 || [WINDOWS-MISC] Subscription calledback error recieved. Logging has likely stopped. || url,wiki.quadrantsec.com/bin/view/Main/5002955 6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec) 6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec) 6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec) diff -Nru sagan-rules-10222015/samba.rules sagan-rules-20160923/samba.rules --- sagan-rules-10222015/samba.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/samba.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan samba.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/sendmail.rules sagan-rules-20160923/sendmail.rules --- sagan-rules-10222015/sendmail.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/sendmail.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan sendmail.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -32,7 +32,7 @@ drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] VRFY command - [not rejected]"; content:"vrfy "; content:!"rejected"; nocase; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000036; parse_src_ip:1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000224; rev:8;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Relaying denied"; pcre: "/Relaying denied|reject=550 5.7.1/"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000037; sid: 5000037; rev:8;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Relaying denied [reject=550 5.7.1]"; content: "reject=550 5.7.1"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000144; sid: 5000144; rev:5;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Domain of sender does not resolve"; content:"reject=451 4.1.8"; classtype: suspicious-traffic; program: sm-mta|sendmail; normalize: smtp; reference: url,wiki.quadrantsec.com/bin/view/Main/5000136; sid: 5000136; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Domain of sender does not resolve"; content:"reject=451 4.1.8"; classtype: suspicious-traffic; program: sm-mta|sendmail; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000136; sid: 5000136; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Rejected by access list"; pcre: "/reject=550 5.0.0|reject=553 5.3.0/"; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000137; sid: 5000137; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sender address does not have domain"; content:"reject=553 5.5.4 "; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000138; sid: 5000138; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Rejecting due to pre-greet"; content: "rejecting commands from"; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000139; sid: 5000139; rev:3;) diff -Nru sagan-rules-10222015/smtp-normalize.rulebase sagan-rules-20160923/smtp-normalize.rulebase --- sagan-rules-10222015/smtp-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/smtp-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,41 +0,0 @@ -# Sagan smtp.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= - -rule=: %-:word% %-:word% [%src-ip:ipv4%]: expn %username:word% - -# p0IGs29E022795: ruleset=check_rcpt, arg1=, relay=mailhost.example.com [192.168.0.1], reject=553 5.1.8 ... Domain of sender address bogus@example.com does not exist - -rule=: %-:word% ruleset=check_rcpt, %-:word% relay=%y:word% [%src-ip:ipv4%] (may be forged), reject=%-:number% %-:rest% - -# p0I3FCpA013475: [192.168.0.1]: Possible SMTP RCPT flood, throttling. - -rule=: %-:word%: [%src-ip:ipv4%]: Possible SMTP RCPT flood, throttling. - diff -Nru sagan-rules-10222015/snort-bluedot.rules sagan-rules-20160923/snort-bluedot.rules --- sagan-rules-10222015/snort-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/snort-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,42 @@ +# Sagan snort-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# +# These detect where certain types of files are accessed from outside your HOME_COUNTRY. +# They require that: +# +# 1. Snort logs to syslog: +# output alert_syslog: LOG_AUTH LOG_ALERT # Example SNORT config +# 2. Snort "file-identify.rules" rules are enabled +# +# Concept by Robert Nunley (rnunley@quadrantsec.com) - 02/21/2014 + +# THIS RULES ARE HIGHLY EXPERIMENTAL! + +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Executable Downloaded from a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; content: "FILE-IDENTIFY"; content: "Exe"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002910;sid:5002910; rev: 2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Java Downloaded from a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; content: "FILE-IDENTIFY"; content: "Java"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002911; sid:5002911; rev: 2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Jar/Zip Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; content: "FILE-IDENTIFY"; content: "Jar"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002912; sid:5002912; rev: 2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] PDF Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; content: "FILE-IDENTIFY"; content: "PDF"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002913; sid:5002913; rev: 2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Flash Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; content: "FILE-IDENTIFY"; content: "Flash"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002914; sid:5002914; rev: 2;) diff -Nru sagan-rules-10222015/snort-geoip.rules sagan-rules-20160923/snort-geoip.rules --- sagan-rules-10222015/snort-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/snort-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan snort-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/snort-normalize.rulebase sagan-rules-20160923/snort-normalize.rulebase --- sagan-rules-10222015/snort-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/snort-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -# Sagan snort-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -# -# Jun 2 00:41:47 demo snort: [1:19559:5] INDICATOR-SCAN SSH brute force login attempt [Classification: Misc activity] [Priority: 3] {TCP} 43.255.188.148:35236 -> 10.5.1.3:22 - -rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%] {%proto:char-to:\x7d%} %dst-ip:ipv4%:%dst-port:number% -> %src-ip:ipv4%:%src-port:number% diff -Nru sagan-rules-10222015/snort.rules sagan-rules-20160923/snort.rules --- sagan-rules-10222015/snort.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/snort.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan snort.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,39 +25,39 @@ # #************************************************************* -# alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Snort syslog message"; program: snort; content: "Classification"; content: "Priority"; classtype: suspicious-command; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000386; sid: 5000386; rev:3;) +# alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Snort syslog message"; program: snort; content: "Classification"; content: "Priority"; classtype: suspicious-command; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000386; sid: 5000386; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Not Suspicious Traffic"; program: snort; content: "Classification|3a| Not Suspicious Traffic"; classtype: not-suspicious; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000976; sid: 5000976; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unknown Traffic"; program: snort; content: "Classification|3a| Unknown Traffic"; classtype: unknown; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000977; sid: 5000977; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Bad Traffic"; program: snort; content: "Classification|3a| Bad Traffic"; classtype: bad-unknown; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000978; sid: 5000978; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Information Leak"; program: snort; content: "Classification|3a| Attempted Information Leak"; classtype: attempted-recon; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000979; sid: 5000979; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Information Leak"; program: snort; content: "Classification|3a| Information Leak"; classtype: successful-recon-limited; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000980; sid: 5000980; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Large Scale Information Leak"; program: snort; content: "Classification|3a| Large Scale Information Leak"; classtype: successful-recon-largescale; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000981; sid: 5000981; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Denial of Service"; program: snort; content: "Classification|3a| Attempted Denial of Service"; classtype: attempted-dos; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000982; sid: 5000982; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Denial of Service"; program: snort; content: "Classification|3a| Denial of Service"; classtype: successful-dos; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000983; sid: 5000983; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted User Privilege Gain"; program: snort; content: "Classification|3a| Attempted User Privilege Gain"; classtype: attempted-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000984; sid: 5000984; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unsuccessful User Privilege Gain"; program: snort; content: "Classification|3a| Unsuccessful User Privilege Gain"; classtype: unsuccessful-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000985; sid: 5000985; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful User Privilege Gain"; program: snort; content: "Classification|3a| Successful User Privilege Gain"; classtype: successful-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000986; sid: 5000986; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Administrator Privilege Gain"; program: snort; content: "Classification|3a| Attempted Administrator Privilege Gain"; classtype: attempted-admin; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000987; sid: 5000987; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful Administrator Privilege Gain"; program: snort; content: "Classification|3a| Successful Administrator Privilege Gain"; classtype: successful-admin; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000988; sid: 5000988; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Decode of an RPC Query"; program: snort; content: "Classification|3a| Decode of an RPC Query"; classtype: rpc-portmap-decode; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000989; sid: 5000989; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Executable code was detected"; program: snort; content: "Classification|3a| Executable code was detected"; classtype: shellcode-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000990; sid: 5000990; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious string was detected"; program: snort; content: "Classification|3a| A suspicious string was detected"; classtype: string-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000991; sid: 5000991; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious filename was detected"; program: snort; content: "Classification|3a| A suspicious filename was detected"; classtype: suspicious-filename-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000992; sid: 5000992; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] An attempted login using a suspicious username was detected"; program: snort; content: "Classification|3a| An attempted login using a suspicious username was detected"; classtype: suspicious-login; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000993; sid: 5000993; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A system call was detected"; program: snort; content: "Classification|3a| A system call was detected"; classtype: system-call-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000995; sid: 5000995; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A TCP connection was detected"; program: snort; content: "Classification|3a| A TCP connection was detected"; classtype: tcp-connection; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000996; sid: 5000996; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A Network Trojan was detected"; program: snort; content: "Classification|3a| A Network Trojan was detected"; classtype: trojan-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000997; sid: 5000997; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A client was using an unusual port"; program: snort; content: "Classification|3a| A client was using an unusual port"; classtype: unusual-client-port-connection; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000998; sid: 5000998; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Network Scan"; program: snort; content: "Classification: Detection of a Network Scan"; classtype: network-scan; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000999; sid: 5000999; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Denial of Service Attack"; program: snort; content: "Classification|3a| Detection of a Denial of Service Attack"; classtype: denial-of-service; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001000; sid: 5001000; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a non-standard protocol or event"; program: snort; content: "Classification|3a| Detection of a non-standard protocol or event"; classtype: non-standard-protocol; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001001; sid: 5001001; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic Protocol Command Decode"; program: snort; content: "Classification|3a| Generic Protocol Command Decode"; classtype: protocol-command-decode; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001002; sid: 5001002; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] access to a potentially vulnerable web application"; program: snort; content: "Classification|3a| access to a potentially vulnerable web application"; classtype: web-application-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001003; sid: 5001003; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Web Application Attack"; program: snort; content: "Classification|3a| Web Application Attack"; classtype: web-application-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001004; sid: 5001004; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc activity"; program: snort; content: "Classification|3a| Misc activity"; classtype: misc-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001005; sid: 5001005; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc Attack"; program: snort; content: "Classification|3a| Misc Attack"; classtype: misc-attack; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001006; sid: 5001006; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic ICMP event"; program: snort; content: "Classification: Generic ICMP event"; classtype: icmp-event; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001007; sid: 5001007; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] SCORE! Get the lotion! [Porn]"; program: snort; content: "Classification|3a| SCORE! Get the lotion!"; classtype: kickass-porn; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001008; sid: 5001008; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Potential Corporate Privacy Violation"; program: snort; content: "Classification|3a| Potential Corporate Privacy Violation"; classtype: policy-violation; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001009; sid: 5001009; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempt to login by a default username and password"; program: snort; content: "Classification|3a| Attempt to login by a default username and password"; classtype: default-login-attempt; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001010; sid: 5001010; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Not Suspicious Traffic"; program: snort; content: "Classification|3a| Not Suspicious Traffic"; classtype: not-suspicious; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000976; sid: 5000976; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unknown Traffic"; program: snort; content: "Classification|3a| Unknown Traffic"; classtype: unknown; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000977; sid: 5000977; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Bad Traffic"; program: snort; content: "Classification|3a| Bad Traffic"; classtype: bad-unknown; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000978; sid: 5000978; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Information Leak"; program: snort; content: "Classification|3a| Attempted Information Leak"; classtype: attempted-recon; flowbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000979; sid: 5000979; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Information Leak"; program: snort; content: "Classification|3a| Information Leak"; classtype: successful-recon-limited; flowbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000980; sid: 5000980; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Large Scale Information Leak"; program: snort; content: "Classification|3a| Large Scale Information Leak"; classtype: successful-recon-largescale; flowbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000981; sid: 5000981; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Denial of Service"; program: snort; content: "Classification|3a| Attempted Denial of Service"; classtype: attempted-dos; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000982; sid: 5000982; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Denial of Service"; program: snort; content: "Classification|3a| Denial of Service"; classtype: successful-dos; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000983; sid: 5000983; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted User Privilege Gain"; program: snort; content: "Classification|3a| Attempted User Privilege Gain"; classtype: attempted-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000984; sid: 5000984; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unsuccessful User Privilege Gain"; program: snort; content: "Classification|3a| Unsuccessful User Privilege Gain"; classtype: unsuccessful-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000985; sid: 5000985; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful User Privilege Gain"; program: snort; content: "Classification|3a| Successful User Privilege Gain"; classtype: successful-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000986; sid: 5000986; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Administrator Privilege Gain"; program: snort; content: "Classification|3a| Attempted Administrator Privilege Gain"; classtype: attempted-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000987; sid: 5000987; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful Administrator Privilege Gain"; program: snort; content: "Classification|3a| Successful Administrator Privilege Gain"; classtype: successful-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000988; sid: 5000988; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Decode of an RPC Query"; program: snort; content: "Classification|3a| Decode of an RPC Query"; classtype: rpc-portmap-decode; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000989; sid: 5000989; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Executable code was detected"; program: snort; content: "Classification|3a| Executable code was detected"; classtype: shellcode-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000990; sid: 5000990; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious string was detected"; program: snort; content: "Classification|3a| A suspicious string was detected"; classtype: string-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000991; sid: 5000991; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious filename was detected"; program: snort; content: "Classification|3a| A suspicious filename was detected"; classtype: suspicious-filename-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000992; sid: 5000992; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] An attempted login using a suspicious username was detected"; program: snort; content: "Classification|3a| An attempted login using a suspicious username was detected"; classtype: suspicious-login; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000993; sid: 5000993; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A system call was detected"; program: snort; content: "Classification|3a| A system call was detected"; classtype: system-call-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000995; sid: 5000995; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A TCP connection was detected"; program: snort; content: "Classification|3a| A TCP connection was detected"; classtype: tcp-connection; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000996; sid: 5000996; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A Network Trojan was detected"; program: snort; content: "Classification|3a| A Network Trojan was detected"; classtype: trojan-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000997; sid: 5000997; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A client was using an unusual port"; program: snort; content: "Classification|3a| A client was using an unusual port"; classtype: unusual-client-port-connection; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000998; sid: 5000998; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Network Scan"; program: snort; content: "Classification: Detection of a Network Scan"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000999; sid: 5000999; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Denial of Service Attack"; program: snort; content: "Classification|3a| Detection of a Denial of Service Attack"; classtype: denial-of-service; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001000; sid: 5001000; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a non-standard protocol or event"; program: snort; content: "Classification|3a| Detection of a non-standard protocol or event"; classtype: non-standard-protocol; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001001; sid: 5001001; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic Protocol Command Decode"; program: snort; content: "Classification|3a| Generic Protocol Command Decode"; classtype: protocol-command-decode; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001002; sid: 5001002; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] access to a potentially vulnerable web application"; program: snort; content: "Classification|3a| access to a potentially vulnerable web application"; classtype: web-application-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001003; sid: 5001003; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Web Application Attack"; program: snort; content: "Classification|3a| Web Application Attack"; classtype: web-application-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001004; sid: 5001004; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc activity"; program: snort; content: "Classification|3a| Misc activity"; classtype: misc-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001005; sid: 5001005; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc Attack"; program: snort; content: "Classification|3a| Misc Attack"; classtype: misc-attack; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001006; sid: 5001006; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic ICMP event"; program: snort; content: "Classification: Generic ICMP event"; classtype: icmp-event; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001007; sid: 5001007; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] SCORE! Get the lotion! [Porn]"; program: snort; content: "Classification|3a| SCORE! Get the lotion!"; classtype: kickass-porn; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001008; sid: 5001008; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Potential Corporate Privacy Violation"; program: snort; content: "Classification|3a| Potential Corporate Privacy Violation"; classtype: policy-violation; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001009; sid: 5001009; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempt to login by a default username and password"; program: snort; content: "Classification|3a| Attempt to login by a default username and password"; classtype: default-login-attempt; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001010; sid: 5001010; rev:4;) diff -Nru sagan-rules-10222015/solaris.rules sagan-rules-20160923/solaris.rules --- sagan-rules-10222015/solaris.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/solaris.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan solaris.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/sonicwall-normalize.rulebase sagan-rules-20160923/sonicwall-normalize.rulebase --- sagan-rules-10222015/sonicwall-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/sonicwall-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,43 +0,0 @@ -# Sagan sonicwall.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -# rememer the space at the end of the rule.. Also " counts as part of a %thing:word% - -#prefix=id=%firewall:word% sn=%serial:word% time="%date:word% %hour:number%:%minute:number%:%seconds:number%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% - -prefix=id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% - - -rule=: msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note=%ports-scanned:quoted-string% - -#rule=: msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% - -rule=: msg=%alert:quoted-string% sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% - - diff -Nru sagan-rules-10222015/sonicwall.rules sagan-rules-20160923/sonicwall.rules --- sagan-rules-10222015/sonicwall.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/sonicwall.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan sonicwall.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -25,9 +25,144 @@ # #************************************************************* -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001083; sid: 5001083; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:1;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:1;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001083; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:2;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:2;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:3;) +# These where created by Kevin Gross (kgross@quadrantsec.com) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible restart for system maintenance"; content: "As per Diagnostic Auto-restart configuration request, restarting system"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002601; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Auto-Dial Failure"; content: "auto-dial failed: Current Connection Model is configured as Ethernet Only"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002602; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Down"; content: "Ethernet Port Down"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002603; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Up"; content: "Ethernet Port Up"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002604; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Registration Update Needed"; content: "Registration Update Needed"; content: "Restore your existing security service subscRIPtions by clicking"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002605; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Device Detected"; content: "3G"; content: "device detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002606; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Data Limit Reached"; content: "3G"; content: "data usage limit reached"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002607; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No 3G Sim Card Detected"; content: "3G"; content: "No SIM detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002608; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Preferences File Inaccessable"; content: "A prior version of preferences was loaded because the most recent preferences file was inaccessible"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002609; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] OS Upgrade Performed"; content: "A SonicOS Standard to Enhanced Upgrade was performed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002610; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Attempted access from host out of compliance with GSC policy"; content: "Access attempt from host out of compliance with GSC policy"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002611; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Access attempt from host without Anti-Virus agent installed"; content: "Access attempt from host without Anti-Virus agent installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002612; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services"; content: "Access attempt from host without GSC installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002613; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Added"; content: "Access rule added"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002614; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Deleted"; content: "Access rule deleted"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002615; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Modified"; content: "Access rule modified"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002616; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule reset to defaults"; content: "Access rules restored to defaults"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002617; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access to proxy server denied"; content: "Access to proxy server denied"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002618; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX access denied"; content: "ActiveX access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002619; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX or Java archive access denied"; content: "ActiveX or Java archive access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002620; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Successful Administrator Access"; content: "Administrator login allowed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002621; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access denied due to bad credentials"; content: "Administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002622; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access not allowed on this interface"; content: "Administrator login denied from"; content: "logins disabled from this interface"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002623; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Account Name Changed"; content: "Administrator name changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002624; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall preferences reset to factory defaults"; content: "All preference values have been set to factory default values"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002625; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Allowed LDAP server certificate with wrong host name"; content: "Allowed LDAP server certificate with wrong host name"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002626; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002627; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Prevention Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002628; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filter Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002629; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filters Block Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002630; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ASOC Flood detected from WLAN station"; content: "Association Flood from WLAN station"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002631; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Back Orifice Attack Dropped"; content: "Back Orifice attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002632; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup active"; content: "Backup active"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002633; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall Active"; content: "Backup firewall has transitioned to Active"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002634; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall transitioned to idle"; content: "Backup firewall has transitioned to Idle"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002635; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup Firewall Rebooting"; content: "Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002636; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup WAN link down"; content: "Backup WAN link down, Primary going Active"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002637; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Bad CRL format"; content: "Bad CRL format"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002638; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Blacklisted Certificate"; content: "Certificate on Revoked list(CRL)"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002639; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Login - Commandline login successful"; content: "CLI administrator login allowed"; classtype: successful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002640; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator login failed due to bad credentials"; content: "CLI administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002641; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall event - Diagnostic Reboot"; content: "Diagnostic Auto-restart scheduled for"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002642; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code A"; content: "Diagnostic Code A"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002643; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code B"; content: "Diagnostic Code B"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002644; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code C"; content: "Diagnostic Code C"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002645; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code D"; content: "Diagnostic Code D"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002646; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code E"; content: "Diagnostic Code E"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002647; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code F"; content: "Diagnostic Code F"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002648; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code G"; content: "Diagnostic Code G"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002649; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code H"; content: "Diagnostic Code H"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002650; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code I"; content: "Diagnostic Code I"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002651; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code J"; content: "Diagnostic Code J"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002652; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection Non-Sonicpoint WLAN traffic dropped"; content: "Drop WLAN traffic from nonSonicPoint devices"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002653; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Error initializing Hardware acceleration for VPN"; content: "Error initializing Hardware acceleration for VPN"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002654; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error rebooting peer firewall"; content: "Error Rebooting HA Peer Firewall"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002655; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error setting up IP address of the backup"; content: "Error setting the IP address of the backup, please manually set to backup LAN IP"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002656; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services - License Sync Failed"; content: "Failed to synchronize license information with Licensing Server"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002657; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN Flood Blacklist on"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002658; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN-Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002659; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN IDS - Rouge Access Point"; content: "Found Rogue Access Point"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002660; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Fraudulent Microsoft Certificate"; content: "Fraudulent Microsoft certificate found"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002661; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] FTP - Login Failed"; content: "FTP client user logged in failed"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002662; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access - Dropped access from non-default port"; content: "Data connection from non default port dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002663; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Bounce attack dropped"; content: "PASV response bounce attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002664; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spoof attack dropped"; content: "PASV response spoof attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002665; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account created"; content: "Guest account"; content: "created"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002666; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account deleted"; content: "Guest account"; content: "deleted"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002667; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account disabled"; content: "Guest account"; content: "disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002668; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account pruned"; content: "Guest account"; content: "pruned"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002669; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-enabled"; content: "Guest account"; content: "re-enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002670; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-generated"; content: "Guest account"; content: "re-generated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002671; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Heartbeat detected from incompatable source"; content: "Heartbeat received from incompatible source"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002672; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] HTTP management port has changed"; content: "HTTP management port has changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002673; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Unauthorized user"; content: "Internet Access restricted to authorized users"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002674; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof detected"; content: "IP spoof detected on packet to Central Gateway"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002675; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof dropped"; content: "IP spoof dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002676; rev: 1; ) +#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002677; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Prevention Alert"; content: "IPS Prevention Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002678; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Land attack dropped"; content: "Land attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002679; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from FIN flood blacklist"; content: "removed from FIN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002680; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from RST flood blacklist"; content: "removed from RST flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002681; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from SYN flood blacklist"; content: "removed from SYN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002682; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum events per second threshold exceeded"; content: "Maximum events per second threshold exceeded"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002683; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] PPP dialup - Maximum sequential failed dial attempts"; content: "Maximum sequential failed dial attempts"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002684; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum syslog data per second threshold exceeded"; content: "Maximum syslog data per second threshold exceeded"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002685; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Multiple DHCP servers detected on network"; content: "Multiple DHCP Servers are detected on network"; classtype: network-event; parse_src_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002686; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Net Spy attack dropped"; content: "Net Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002687; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - NetBus attack dropped"; content: "NetBus attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002688; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Packet dropped by WLAN"; content: "Packet dropped by WLAN"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002689; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No firewall rule exists for VPN policy"; content: " No firewall rule associated with VPN policy"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002690; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Ping of Death dropped"; content: "Ping of death dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002691; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible DNS rebind attack detected"; content: "Possible DNS rebind attack detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002692; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "Possible FIN Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002693; rev: 2; ) +#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible port scan detected"; content: "Possible port scan detected"; classtype: network-scan ; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002694; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible RST Flood"; content: "Possible RST Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002695; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible SYN Flood"; content: "Possible SYN Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002696; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Priority attack dropped"; content: "Priority attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002697; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable port scan detected"; content: "Probable port scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002698; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP FIN scan detected"; content: "Probable TCP FIN scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002699; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP NULL scan detected"; content: "Probable TCP NULL scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002700; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected"; content: "Probable TCP XMAS scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002701; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon attempt"; content: "Probing failure on"; classtype: attempted-recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002702; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Recon attempt"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002703; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware - Clock battery has failed"; content: "Real time clock battery failure Time values may be incorrect"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002704; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002705; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Sonicwall License Expired"; content: "SonicWALL"; content: "expired"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002706; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall rebooting"; content: "Restarting SonicWALL"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002707; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RIPper attack dropped"; content: "RIPper attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002708; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood Blacklist"; content: "RST Flood Blacklist on IF"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002709; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood"; content: "RST"; content: "Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002710; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Senna Spy attack dropped"; content: "Senna Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002711; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall activated"; content: "SonicWALL activated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002712; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall starting up"; content: "SonicWALL initializing"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002713; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is down"; content: "SonicWALL SSO agent is down"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002714; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is up"; content: "SonicWALL SSO agent is up"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002715; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Domain name too long"; content: "SonicWALL SSO agent returned domain name too long"; classtype: system-event; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002716; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SSO agent returned error"; content: "SonicWALL SSO agent returned error"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002717; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] User name too long"; content: "SonicWALL SSO agent returned user name too long"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002718; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Source routed IP packet dropped"; content: "Source routed IP packet dropped"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002719; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spank attack dropped"; content: "Spank attack multicast packet dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002720; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN policy enforced"; content: "VPN enforcement"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002721; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Striker attack dropped"; content: "Striker attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002722; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Sub Seven attack dropped"; content: "Sub Seven attack dropped"; classtype: exploit-attempt; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002723; rev: 3; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood blacklisting enabled by user"; content: "SYN Flood blacklisting enabled by user"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002724; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN flood ceased or flooding machines blacklisted"; content: "SYN flood ceased or flooding machines blacklisted"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002725; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood Mode changed by user"; content: "SYN Flood Mode changed by user to"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002726; rev: 2; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] System clock manually updated"; content: "System clock manually updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002727; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - TCP Xmas Tree dropped"; content: "TCP Xmas Tree dropped"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002728; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is disabled"; content: "Virtual Access Point is disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002729; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is enabled"; content: "Virtual Access Point is enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002730; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Hardware failure - Voltages Out of Tolerance"; content: "Voltages Out of Tolerance"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002731; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN firmware image has been updated"; content: "WLAN firmware image has been updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002732; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Radio frequency threat detected"; content: "WLAN radio frequency threat detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002733; rev: 1; ) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN sequence number out of order - sequencing error/EMF interference/rogue AP"; content: "WLAN sequence number out of order"; classtype: network-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002734; rev: 1; ) diff -Nru sagan-rules-10222015/squid.rules sagan-rules-20160923/squid.rules --- sagan-rules-10222015/squid.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/squid.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan squid.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ssh-tectia-server-aetas.rules sagan-rules-20160923/ssh-tectia-server-aetas.rules --- sagan-rules-10222015/ssh-tectia-server-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ssh-tectia-server-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ssh-tectia-server-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ssh-tectia-server-bluedot.rules sagan-rules-20160923/ssh-tectia-server-bluedot.rules --- sagan-rules-10222015/ssh-tectia-server-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/ssh-tectia-server-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,30 @@ +# Sagan ssh-tectia-server-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# +# These rules are for the SSH Tectia Server for Windows systems. + +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER-BLUEDOT] Authentication success from a suspicious source"; content: "Login_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002915; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; sid:5002915; rev:2;) diff -Nru sagan-rules-10222015/ssh-tectia-server-correlated.rules sagan-rules-20160923/ssh-tectia-server-correlated.rules --- sagan-rules-10222015/ssh-tectia-server-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ssh-tectia-server-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ssh-tectia-server-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ssh-tectia-server-geoip.rules sagan-rules-20160923/ssh-tectia-server-geoip.rules --- sagan-rules-10222015/ssh-tectia-server-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ssh-tectia-server-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ssh-tectia-server-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/ssh-tectia-server.rules sagan-rules-20160923/ssh-tectia-server.rules --- sagan-rules-10222015/ssh-tectia-server.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/ssh-tectia-server.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan ssh-tectia-server.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,4 +27,4 @@ # # These rules are for the SSH Tectia Server for Windows systems. -alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5]"; content: "Login_failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001877; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001877; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5]"; content: "Login_failure"; classtype: unsuccessful-user; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001877; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001877; rev:2;) diff -Nru sagan-rules-10222015/su-normalize.rulebase sagan-rules-20160923/su-normalize.rulebase --- sagan-rules-10222015/su-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/su-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -# Sagan su-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -rule=: Successful su for %-:word% by %username:word% -rule=: pam_unix(sudo:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% %-:word% ruser= rhost= user=%username:word% - diff -Nru sagan-rules-10222015/su.rules sagan-rules-20160923/su.rules --- sagan-rules-10222015/su.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/su.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan su.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,15 +27,15 @@ # This is for both "su" and "sudo" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] SUDO user NOT in sudoers"; content:"user NOT in sudoers"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000024; sid: 5000024; rev:1;) -drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure - Brute force [3/5]"; content: "authentication failure"; classtype: unsuccessful-admin; normalize: su; program: sudo; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000025; sid: 5000025; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; normalize: su; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5001526; sid: 5001526; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000027; normalize: su; sid: 5000027; rev:2;) +drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure - Brute force [3/5]"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000025; sid: 5000025; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5001526; sid: 5001526; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000027; normalize; sid: 5000027; rev:3;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize: su; sid: 5000409; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:3;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] root password change attempt"; content:"passwd"; content "root"; content:"HISTORY"; classtype: suspicious-command; program: -su|su; reference: url,wiki.quadrantsec.com/bin/view/Main/5002566; sid: 5002566; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] root password change attempt"; content:"passwd"; content: "root"; content:"HISTORY"; classtype: suspicious-command; program: -su|su; reference: url,wiki.quadrantsec.com/bin/view/Main/5002566; sid: 5002566; rev:2;) diff -Nru sagan-rules-10222015/symantec-ems.rules sagan-rules-20160923/symantec-ems.rules --- sagan-rules-10222015/symantec-ems.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/symantec-ems.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan symantic-ems.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -36,7 +36,7 @@ # Multiple login failures - Brute Force -alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Multiple authentication failures"; content: "failed authentication for internal PGP Desktop"; content:!"null"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001677; sid: 5001677; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Multiple authentication failures"; content: "failed authentication for internal PGP Desktop"; content:!"null"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001677; sid: 5001677; rev:4;) # Unsuccessful login diff -Nru sagan-rules-10222015/syslog.rules sagan-rules-20160923/syslog.rules --- sagan-rules-10222015/syslog.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/syslog.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan syslog.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -31,16 +31,16 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Advised path"; classtype: bad-unknown; program: Advised; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000057; sid: 5000057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] init respawning to fast"; content: "respawning too fast"; classtype: program-error; program: init; threshold: type limit, track by_src, count 5, seconds 60; reference: url,wiki.quadrantsec.com/bin/view/Main/5000058; sid: 5000058; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Martian source packet"; content: "martian source"; parse_src_ip: 2; parse_dst_ip: 1; classtype: bad-unknown; program: martian; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000059; sid: 5000059; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; threshold: type limit, track by_src, count 5, seconds 300; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000114; sid: 5000114; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; threshold: type limit, track by_src, count 1, seconds 300; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000114; meta_content:!"%sagan%",abcnews,cnn,cbsnews,foxnews,msnbc; meta_nocase; sid: 5000114; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] /etc/securetty missing, root access unrestricted"; content: "couldn't open /etc/securetty"; nocase; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000115; sid: 5000115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5000117; sid: 5000117; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000118; sid: 5000118; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000119; sid: 5000119; rev:11;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001621; sid: 5001621; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001622; sid: 5001622; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001623; sid: 5001623; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001624; sid: 5001624; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000117; sid: 5000117; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000118; sid: 5000118; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000119; sid: 5000119; rev:12;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001621; sid: 5001621; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001622; sid: 5001622; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001623; sid: 5001623; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001624; sid: 5001624; rev:3;) # # Catch all for all Authentication failures. # diff -Nru sagan-rules-10222015/tcp.rules sagan-rules-20160923/tcp.rules --- sagan-rules-10222015/tcp.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/tcp.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan tcp.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/telnet.rules sagan-rules-20160923/telnet.rules --- sagan-rules-10222015/telnet.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/telnet.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan telnet.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/trendmicro.rules sagan-rules-20160923/trendmicro.rules --- sagan-rules-10222015/trendmicro.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/trendmicro.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,28 @@ +# Sagan trendmicro.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Trendmicro rules by Corey Fisher - 02/18/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[Trendmicro] Virus Found Unable to Quarantine"; content: "SLF_INCIDENT_EVT_VIRUS_FOUND_PASS_THRU"; content: "Unable to quarantine file"; program: TMCM; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002797; classtype: suspicious-traffic; sid:5002797; rev:2;) diff -Nru sagan-rules-10222015/tripwire.rules sagan-rules-20160923/tripwire.rules --- sagan-rules-10222015/tripwire.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/tripwire.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan tripwire.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/vmpop3d.rules sagan-rules-20160923/vmpop3d.rules --- sagan-rules-10222015/vmpop3d.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vmpop3d.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vmpop3d.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/vmware-bluedot.rules sagan-rules-20160923/vmware-bluedot.rules --- sagan-rules-10222015/vmware-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/vmware-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,31 @@ +# Sagan vmware-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# VMWare ESX + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002916; sid:5002916; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: " logged in "; classtype: successful-admin; program: Hostd; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002917; sid:5002917; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: "Accepted password"; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002918; sid:5002918; rev:1;) diff -Nru sagan-rules-10222015/vmware-correlated.rules sagan-rules-20160923/vmware-correlated.rules --- sagan-rules-10222015/vmware-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vmware-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vmware-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,4 +28,4 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; pcre: "/Accepted password for|login from/i"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002384; sid:5002384; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; content: " logged in "; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002385; sid:5002385; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; content: "Accepted password"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: Hostd; normalize: vmware; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002386; sid:5002386; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; content: "Accepted password"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002386; sid:5002386; rev:2;) diff -Nru sagan-rules-10222015/vmware-geoip.rules sagan-rules-20160923/vmware-geoip.rules --- sagan-rules-10222015/vmware-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vmware-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vmware-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,4 +28,4 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002381; sid:5002381; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; content: " logged in "; classtype: successful-admin; program: Hostd; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002382; sid:5002382; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful"; content: "Accepted password"; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: Hostd; normalize: vmware; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002383; sid:5002383; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful"; content: "Accepted password"; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002383; sid:5002383; rev:2;) diff -Nru sagan-rules-10222015/vmware-normalize.rulebase sagan-rules-20160923/vmware-normalize.rulebase --- sagan-rules-10222015/vmware-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vmware-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -# Sagan vmware-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -prefix= -rule=: Accepted password for %username:word% from %src-ip:ipv4% - - diff -Nru sagan-rules-10222015/vmware.rules sagan-rules-20160923/vmware.rules --- sagan-rules-10222015/vmware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vmware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vmware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,7 +27,7 @@ # VMWare ESX #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000204; sid: 5000204; rev:1;) -drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure - Brute force [5/5]"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000206; sid: 5000206; rev:4;) +drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure - Brute force [5/5]"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000206; sid: 5000206; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001529; sid: 5001529; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to OFF"; content: "VM_STATE_OFF"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000208; sid: 5000208; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being turned ON"; content: "VM_STATE_POWERING_ON"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000380; sid: 5000380; rev:1;) @@ -50,4 +50,4 @@ #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Lost access to volume"; content: "Event 37 : "; classtype: hardware-event; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001098; sid: 5001099; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Possible HD/Datastore failure"; content: ": 1672: "; classtype: hardware-event; program: vmkernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001100; sid: 5001100; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: "Accepted password"; classtype: successful-admin; program: Hostd; normalize: vmware; reference: url,wiki.quadrantsec.com/bin/view/Main/5001101; sid: 5001101; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: "Accepted password"; classtype: successful-admin; program: Hostd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001101; sid: 5001101; rev:2;) diff -Nru sagan-rules-10222015/vpopmail.rules sagan-rules-20160923/vpopmail.rules --- sagan-rules-10222015/vpopmail.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vpopmail.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vpopmail.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/vsftpd-bluedot.rules sagan-rules-20160923/vsftpd-bluedot.rules --- sagan-rules-10222015/vsftpd-bluedot.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/vsftpd-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,30 @@ +# Sagan vsftpd-bluedot.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-BLUEDOT] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; classtype: successful-user; program: vsftpd; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002919; sid:5002919; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-BLUEDOT] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; classtype: suspicious-traffic; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002920; sid:5002920; rev:2;) + diff -Nru sagan-rules-10222015/vsftpd-correlated.rules sagan-rules-20160923/vsftpd-correlated.rules --- sagan-rules-10222015/vsftpd-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vsftpd-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vsftpd-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/vsftpd-geoip.rules sagan-rules-20160923/vsftpd-geoip.rules --- sagan-rules-10222015/vsftpd-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vsftpd-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vsftpd-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/vsftpd.rules sagan-rules-20160923/vsftpd.rules --- sagan-rules-10222015/vsftpd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/vsftpd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan vsftpd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -27,8 +27,13 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Session opened"; content: "CONNECT"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000194; sid: 5000194; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Authentication successful"; content: "OK LOGIN"; classtype: successful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000195; sid: 5000195; rev:2;) -drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Login failed - Brute force [5/5]"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000196; sid: 5000196; rev:4;) +drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Login failed - Brute force [5/5]"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000196; sid: 5000196; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Login failed"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001530; sid: 5001530; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] File uploaded"; content: "OK UPLOAD"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000197; sid: 5000197; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[FTPD] User logged into an disabled account"; content: "OK LOGIN"; pcre: "/ apache | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000415; program: sshd; sid: 5000415; rev:3;) +# Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[VSFTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; program: vsftpd; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002953; sid:5002953; rev: 2;) + + diff -Nru sagan-rules-10222015/web-attack.rules sagan-rules-20160923/web-attack.rules --- sagan-rules-10222015/web-attack.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/web-attack.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan web-attack.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,7 +29,7 @@ # Added by Robert Nunley (rnunley@quadantsec.com) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACK] Havij SQL Injection Tool Identified"; content: "0x31303235343830303536"; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001699; sid: 5001699; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Havij SQL Injection Tool Identified"; content: "0x31303235343830303536"; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001699; sid: 5001699; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection"; content: "0%27%20union%20all%20select%20"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001700; sid: 5001700; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x"; content: "%20and%20%27x%27%3D%27x"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001701; sid: 5001701; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1"; content: "%20and%20%271%27%3D%271"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001702; sid: 5001702; rev:1;) @@ -52,8 +52,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Hmap Webserver Fingerprint Scan"; content:"GET"; nocase; content:"HTTP/1.0"; content: "User-Agent"; content: "Mozilla"; content: "4.75 [en] |28|Windows NT 5.0"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001802; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner"; content:"User-Agent"; content: "prog.CustomCrawler"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001803; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; content: "User-Agent"; content: "Mysqloit"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009882; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001804; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:5001805; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:5001806; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:5001805; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:5001806; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nessus User Agent"; content:"User-Agent"; nocase; content:"Nessus"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001807; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001865; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Netsparker Default User-Agent"; content: "User-Agent"; content: " Netsparker"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.mavitunasecurity.com/communityedition/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001808; rev:2;) @@ -91,6 +91,20 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] ZmEu Scanner User-Agent Inbound"; content: "User-Agent"; content: "ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; classtype:trojan-activity; sid:5001840; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound"; content: "User-Agent"; content:"(internal dummy connection)"; parse_src_ip: 1; parse_dst_ip: 2; classtype:trojan-activity; sid:5001841; rev:1;) alert tcp any any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] DominoHunter Security Scan in Progress"; content: "User-Agent"; content: "DominoHunter"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:5001842; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Vega Web Application Scan"; content: "User-Agent"; content: "Vega"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001843; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Vega Web Application Scan"; content: !"Vegas"; content: "Vega"; content: "User-Agent"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001843; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] FHScan core User-Agent Detect"; content: "FHScan Core "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001844; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] w3af User-Agent 2"; content: "User-Agent"; content:"w3af.sf.net"; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001845; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] RFI Attempt"; content: "index.php?cmd="; content: "page="; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid:5002736; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Possible LFI Attempt"; content:"index.php?system=" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002737; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access Default WordPress Login Page"; content:"/wp-login.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002738; rev:1;)t +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access a Webshell via WordPress"; content:"/wp-login.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002739; rev:1;)t +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access Default Cacti Login Page"; content:"/include/config.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002740; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access PHPMyAdmin Changelog Page"; content:"/changelog.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002741; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access robots.txt File"; content:"robots.txt" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002742; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Possible SQL Injection"; content:"|3b|--" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002743; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access Default Drupal DB Config File"; content:"/sites/default/settings.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002744; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access Default Joomla Page"; content:"/configuration.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002745; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access PHP Timeclock Page"; content:"/db.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002746; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access default DeV!L`s ClanPortal Page"; content:"/inc/mysql.php" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002747; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Attempt to Access IISamples Page"; content:"/iisamples" classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002748; rev:1;) diff -Nru sagan-rules-10222015/weblabrinth.rules sagan-rules-20160923/weblabrinth.rules --- sagan-rules-10222015/weblabrinth.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/weblabrinth.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan weblabrinth.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-aetas.rules sagan-rules-20160923/windows-aetas.rules --- sagan-rules-10222015/windows-aetas.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-aetas.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-aetas.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -24,8 +24,8 @@ # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon at suspicious time"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: Security*; parse_src_ip: 1; parse_port; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002055; sid: 5002055; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: Security*; parse_src_ip: 1; days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002056; sid: 5002056; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002057; sid: 5002057; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon at suspicious time"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: *Security*; parse_src_ip: 1; parse_port; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002055; sid: 5002055; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002056; sid: 5002056; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002057; sid: 5002057; rev:4;) diff -Nru sagan-rules-10222015/windows-applocker.rules sagan-rules-20160923/windows-applocker.rules --- sagan-rules-10222015/windows-applocker.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-applocker.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-applocker.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-auth.rules sagan-rules-20160923/windows-auth.rules --- sagan-rules-10222015/windows-auth.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-auth.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-auth.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,80 +29,80 @@ # http://code.google.com/p/eventlog-to-syslog/ -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; content: " 529|3a| "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,86400; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001151; sid: 5001151; rev:13;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; content: " 529|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001531; sid: 5001531; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001152; sid: 5001152; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001151; sid: 5001151; rev:15;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001531; sid: 5001531; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001152; sid: 5001152; rev:5;) # We only want disabled users that contain usernames, hence the content:! on sid 5001153. -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001153; sid: 5001153; rev:9;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001153; sid: 5001153; rev:10;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001154; sid: 5001154; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001155; sid: 5001155; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; content: " 534|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001156; sid: 5001156; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; content: " 535|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001157; sid: 5001157; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; pcre: "/ 536: | 537: /"; classtype: unsuccessful-user; program: Security*; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 2, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001158; sid: 5001158; rev:7;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_port; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001159; sid: 5001159; rev:9;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001154; sid: 5001154; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001155; sid: 5001155; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; content: " 534|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001156; sid: 5001156; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; content: " 535|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001157; sid: 5001157; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; pcre: "/ 536: | 537: /"; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 2, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001158; sid: 5001158; rev:8;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_port; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001159; sid: 5001159; rev:10;) # See 681 & 4769 for subcodes -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001160; sid: 5001160; rev:10;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; pcre: "/ 671: | 4767: /"; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001161; sid: 5001161; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; pcre: "/ 631: | 635: | 658: | 4727: | 4731: | 4754: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001162; sid: 5001162; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; pcre: "/ 634: | 638: | 662: | 4730: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001163; sid: 5001163; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; pcre: "/ 631: | 4727: | 635: | 4731: | 658: | 4754: | 648: | 4744: | 653: | 4749: | 663: | 4759: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001164; sid: 5001164; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; pcre: "/ 634: | 4730: | 638: | 4734: | 662: | 4758: | 652: | 4748: | 657: | 4753: | 667: | 4763: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001165; sid: 5001165; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; pcre: "/ 632: | 4728: | 633: | 4729: | 636: | 4732: | 637: | 4733: | 639: | 4735: | 641 | 4737: | 637: | 4733: | 659: | 4755: | 660: | 4766: | 668: | 4764: | 649: | 4745: | 650: | 4746: | 651: | 4747: | 654: | 4750: | 655: | 4751: | 656: | 4752: | 659: | 4755: | 660: | 4756: | 661: | 4757: | 664: | 4760: | 665: | 4761: | 666: | 4762: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001475; sid: 5001475; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member added"; pcre: "/ 632: | 4728: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001166; sid: 5001166; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; pcre: "/ 633: | 4729: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001167; sid: 5001167; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; pcre: "/ 634: | 4730: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001168; sid: 5001168; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; pcre: "/ 635: | 4731: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001169; sid: 5001169; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member added"; pcre: "/ 636: | 4732: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001170; sid: 5001170; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; pcre: "/ 637: | 4733: /"; classtype: system-eventr; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001171; sid: 5001171; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; pcre: "/ 638: | 4734: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001172; sid: 5001172; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; pcre: "/ 639: | 4735: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001173; sid: 5001173; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; pcre: "/ 641: | 4737: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001174; sid: 5001174; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; pcre: "/ 658: | 4754: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001176; sid: 5001176; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; pcre: "/ 659: | 4755: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001177; sid: 5001177; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group member added"; pcre: "/ 660: | 4756: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001178; sid: 5001178; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; pcre: "/ 661: | 4757: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001179; sid: 5001179; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; pcre: "/ 662: | 4758: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001180; sid: 5001180; rev:3;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; content: " 1012|3a| "; classtype: system-event; program: TermService; reference: url,wiki.quadrantsec.com/bin/view/Main/5001181; sid: 5001181; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; content: " 680|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001186; sid: 5001186; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001160; sid: 5001160; rev:12;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; pcre: "/ 671: | 4767: /"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001161; sid: 5001161; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; pcre: "/ 631: | 635: | 658: | 4727: | 4731: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001162; sid: 5001162; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; pcre: "/ 634: | 638: | 662: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001163; sid: 5001163; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; pcre: "/ 631: | 4727: | 635: | 4731: | 658: | 4754: | 648: | 4744: | 653: | 4749: | 663: | 4759: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001164; sid: 5001164; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; pcre: "/ 634: | 4730: | 638: | 4734: | 662: | 4758: | 652: | 4748: | 657: | 4753: | 667: | 4763: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001165; sid: 5001165; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; pcre: "/ 632: | 4728: | 633: | 4729: | 636: | 4732: | 637: | 4733: | 639: | 4735: | 641 | 4737: | 637: | 4733: | 659: | 4755: | 660: | 4766: | 668: | 4764: | 649: | 4745: | 650: | 4746: | 651: | 4747: | 654: | 4750: | 655: | 4751: | 656: | 4752: | 659: | 4755: | 660: | 4756: | 661: | 4757: | 664: | 4760: | 665: | 4761: | 666: | 4762: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001475; sid: 5001475; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member added"; pcre: "/ 632: | 4728: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001166; sid: 5001166; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; pcre: "/ 633: | 4729: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001167; sid: 5001167; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; pcre: "/ 634: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001168; sid: 5001168; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; pcre: "/ 635: | 4731: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001169; sid: 5001169; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member added"; pcre: "/ 636: | 4732: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001170; sid: 5001170; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; pcre: "/ 637: | 4733: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001171; sid: 5001171; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; pcre: "/ 638: | 4734: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001172; sid: 5001172; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; pcre: "/ 639: | 4735: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001173; sid: 5001173; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; pcre: "/ 641: | 4737: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001174; sid: 5001174; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; pcre: "/ 658: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001176; sid: 5001176; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; pcre: "/ 659: | 4755: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001177; sid: 5001177; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group member added"; pcre: "/ 660: | 4756: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001178; sid: 5001178; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; pcre: "/ 661: | 4757: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001179; sid: 5001179; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; pcre: "/ 662: | 4758: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001180; sid: 5001180; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; content: " 1012|3a| "; classtype: system-event; program: TermService; reference: url,wiki.quadrantsec.com/bin/view/Main/5001181; sid: 5001181; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; content: " 680|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001186; sid: 5001186; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login failure"; pcre: "/ 20187: | 20014: | 20078: | 20050: | 20049: | 20189: /"; classtype: unsuccessful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001187; sid: 5001187; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login success"; content: " 20158|3a| "; classtype: successful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001188; sid: 5001188; rev:3;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001189; sid: 5001189; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid: 5001190; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; pcre: "/ 644: | 4740: /"; threshold: type limit, track by_src, count 1, seconds 300; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001192; sid: 5001192; rev:7;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; content: " 640|3a| "; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001193; sid: 5001193; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Integrity check on decrypted"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001195; sid: 5001195; rev:6;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001196; sid: 5001196; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x25"; threshold: type limit, track by_src, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001197; sid: 5001197; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001189; sid: 5001189; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid: 5001190; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; pcre: "/ 644: | 4740: /"; threshold: type limit, track by_src, count 1, seconds 300; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001192; sid: 5001192; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001193; sid: 5001193; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Integrity check on decrypted"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001195; sid: 5001195; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001196; sid: 5001196; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x25"; threshold: type limit, track by_src, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001197; sid: 5001197; rev:8;) # Tied to SIDs. #if_sid 18207,18208 - see msauth rules. Sagan can do the same, rules just need to be written. # Same with "Kerberos failures that may indicate an attack" # -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/XXXXXXX; sid: XXXXXXX; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/XXXXXXX; sid: XXXXXXX; rev:3;) # 09/18/2012 Sniffty Dugen -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; pcre: "/ 628: | 4724: /"; classtype: configuration-change; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001620; sid:5001620; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; pcre: "/ 628: | 4724: /"; classtype: configuration-change; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001620; sid:5001620; rev:5;) # Generic "catch all" for event ID 6273 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001648; sid: 5001648; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; content: " 6273|3a| "; content: "Reason Code: 16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001657; sid: 5001657; rev:7;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001658; sid: 5001658; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001659; sid: 5001659; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001660; sid: 5001660; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001661; sid: 5001661; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001662; sid: 5001662; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001663; sid: 5001663; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001664; sid: 5001664; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001665; sid: 5001665; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001666; sid: 5001666; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001667; sid: 5001667; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001648; sid: 5001648; rev:6;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; content: " 6273|3a| "; content: "Reason Code: 16 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001657; sid: 5001657; rev:9;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001658; sid: 5001658; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001659; sid: 5001659; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001660; sid: 5001660; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001661; sid: 5001661; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001662; sid: 5001662; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001663; sid: 5001663; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001664; sid: 5001664; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001665; sid: 5001665; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001666; sid: 5001666; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001667; sid: 5001667; rev:5;) # Group change rules where typically to noisy and didn't supply the information # Needed. These rule detect "what" group a user was "added" to. This should @@ -111,111 +111,115 @@ # These where created by Robert Nunley (rnunley@quadrantsec.com) # Local group -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001692; sid: 5001692; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001693; sid: 5001693; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001694; sid: 5001694; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001692; sid: 5001692; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001693; sid: 5001693; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001694; sid: 5001694; rev:5;) # Domain/global group -alert syslog $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[WINDOWS-AUTH] User added to Domain Administrators group"; pcre: "/ 632: | 4728: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001695; sid: 5001695; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[WINDOWS-AUTH] User added to Domain Administrators group"; pcre: "/ 632: | 4728: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001695; sid: 5001695; rev:6;) # Enterprise/universal group -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001696; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001697; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001696; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001697; rev:6;) # User enabled -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; pcre: "/ 626: | 4722: /"; content:!"$ Account Domain";|3a| "; content:!"$ Account Domain|3a| "; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001687; sid: 5001687; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; pcre: "/ 626: | 4722: /"; content:!"$ Account Domain"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001687; sid: 5001687; rev:8;) # User created -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; pcre: "/ 624: | 4720: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001786; sid: 5001791; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001786; sid: 5001791; rev:5;) # Windows 2008 rules submitted by Robert Nunley (rnunley@quadrantsec.com) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001728; sid: 5001728; rev:14;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001728; sid: 5001728; rev:16;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; content:!"Source Network Address|3a| -"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001729; sid: 5001729; rev:13;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; content:!"Source Network Address|3a| -"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001729; sid: 5001729; rev:15;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001730; sid: 5001730; rev:9;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001730; sid: 5001730; rev:11;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001731; sid: 5001731; rev:12;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001731; sid: 5001731; rev:14;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001732; sid: 5001732; rev:10;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001732; sid: 5001732; rev:12;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001733; sid: 5001733; rev:10;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001733; sid: 5001733; rev:12;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001734; sid: 5001734; rev:10;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001734; sid: 5001734; rev:12;) # Windows authentication rules by code type. Submitted by Brian Echeverry -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001740; sid: 5001740; rev:8;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001741; sid: 5001741; rev:7;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001742; sid: 5001742; rev:7;) - -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001743; sid: 5001743; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001744; sid: 5001744; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001745; sid: 5001745; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001746; sid: 5001746; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001747; sid: 5001747; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001748; sid: 5001748; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001749; sid: 5001749; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001750; sid: 5001750; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001751; sid: 5001751; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001752; sid: 5001752; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001753; sid: 5001753; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001754; sid: 5001754; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001755; sid: 5001755; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001756; sid: 5001756; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001757; sid: 5001757; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001758; sid: 5001758; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001759; sid: 5001759; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001760; sid: 5001760; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001761; sid: 5001761; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001762; sid: 5001762; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001763; sid: 5001763; rev:9;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001764; sid: 5001764; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001765; sid: 5001765; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001766; sid: 5001766; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001767; sid: 5001767; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001768; sid: 5001768; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001769; sid: 5001769; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001770; sid: 5001770; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001771; sid: 5001771; rev:6;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001772; sid: 5001772; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001773; sid: 5001773; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001774; sid: 5001774; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001775; sid: 5001775; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001776; sid: 5001776; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001777; sid: 5001777; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001778; sid: 5001778; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001779; sid: 5001779; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001780; sid: 5001780; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001781; sid: 5001781; rev:5;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001782; sid: 5001782; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001783; sid: 5001783; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001784; sid: 5001784; rev:5;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001740; sid: 5001740; rev:10;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001741; sid: 5001741; rev:9;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001742; sid: 5001742; rev:9;) + +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001743; sid: 5001743; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001744; sid: 5001744; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001745; sid: 5001745; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001746; sid: 5001746; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001747; sid: 5001747; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001748; sid: 5001748; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001749; sid: 5001749; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001750; sid: 5001750; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001751; sid: 5001751; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001752; sid: 5001752; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001753; sid: 5001753; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001754; sid: 5001754; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001755; sid: 5001755; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001756; sid: 5001756; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001757; sid: 5001757; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001758; sid: 5001758; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001759; sid: 5001759; rev:6;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001760; sid: 5001760; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001761; sid: 5001761; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001762; sid: 5001762; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001763; sid: 5001763; rev:11;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001764; sid: 5001764; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001765; sid: 5001765; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001766; sid: 5001766; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001767; sid: 5001767; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001768; sid: 5001768; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001769; sid: 5001769; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001770; sid: 5001770; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001771; sid: 5001771; rev:8;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001772; sid: 5001772; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001773; sid: 5001773; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001774; sid: 5001774; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001775; sid: 5001775; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001776; sid: 5001776; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001777; sid: 5001777; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001778; sid: 5001778; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001779; sid: 5001779; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001780; sid: 5001780; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001781; sid: 5001781; rev:7;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001782; sid: 5001782; rev:8;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001783; sid: 5001783; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001784; sid: 5001784; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:7;) # Account "re-enabled" via flowbit (12/03/2013) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [FLOWBIT SET]"; pcre: "/ 624: | 4720: /"; program: Security*; classtype: successful-user; flowbits: set, created_enabled, 30; flowbits: noalert; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: Security*; flowbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [FLOWBIT SET]"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; flowbits: set, created_enabled, 30; flowbits: noalert; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: *Security*; flowbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:5;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014 # Disabled by default. Possible flowbit rule canidate (?) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; pcre: "/ 644: | 4740: /"; content: "administrator"; nocase; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001978; sid: 5001978; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; pcre: "/ 644: | 4740: /"; content: "administrator"; nocase; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001978; sid: 5001978; rev:3;) # You'll want to populate the "WINDOWS_DOMAINS" before enabling this rule. # Champ Clark - 03/03/2014 -#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url, http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:4;) +#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url, http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:4;) # Records _all_ RDP sessions -#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002015; sid: 5002015; rev:2;) -#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002018; sid: 5002018; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002015; sid: 5002015; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002018; sid: 5002018; rev:4;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/08/2014 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; pcre: "/ 629: | 4725: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002213; sid: 5002213; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; pcre: "/ 629: | 4725: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002213; sid: 5002213; rev:4;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; pcre: "/ 630: | 4726: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002335; sid: 5002335; rev:2;) +# Enabled by Brian Echeverry - 04/08/2016 +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; pcre: "/ 630: | 4726: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002335; sid: 5002335; rev:3;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; pcre: "/ 631: | 4727: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002403; sid: 5002403; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; pcre: "/ 631: | 4727: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002403; sid: 5002403; rev:2;) + +# Added by Adam Hall (Jan, 11th 2016). You'll need to make sure your audit policy/GPO have logging for this enabled! +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Domain policy was changed"; pcre: "/ 4739: | 643: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002775; sid: 5002775; rev:2;) diff -Nru sagan-rules-10222015/windows-blacklist.rules sagan-rules-20160923/windows-blacklist.rules --- sagan-rules-10222015/windows-blacklist.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-blacklist.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,67 +29,68 @@ # http://code.google.com/p/eventlog-to-syslog/ -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; blacklist: by_src; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002215; sid: 5002215; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002216; sid: 5002216; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002217; sid: 5002217; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002218; sid: 5002218; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002219; sid: 5002219; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002220; sid: 5002220; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002222; sid: 5002222; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002223; sid: 5002223; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; blacklist: by_src; program: *Security*; parse_src_ip: 1; normalize; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002215; sid: 5002215; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002216; sid: 5002216; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002217; sid: 5002217; rev:5;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002218; sid: 5002218; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002219; sid: 5002219; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002220; sid: 5002220; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002222; sid: 5002222; rev:2;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002223; sid: 5002223; rev:3;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; blacklist: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002509; sid: 5002509; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002510; sid: 5002510; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002511; sid: 5002511; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002512; sid: 5002512; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002513; sid: 5002513; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002514; sid: 5002514; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002515; sid: 5002515; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002516; sid: 5002516; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002517; sid: 5002517; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002518; sid: 5002518; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002519; sid: 5002519; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002520; sid: 5002520; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002521; sid: 5002521; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002522; sid: 5002522; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002523; sid: 5002523; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002524; sid: 5002524; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002525; sid: 5002525; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002526; sid: 5002526; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002527; sid: 5002527; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002528; sid: 5002528; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002529; sid: 5002529; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002530; sid: 5002530; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002531; sid: 5002531; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002532; sid: 5002532; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002533; sid: 5002533; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002534; sid: 5002534; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002535; sid: 5002535; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002536; sid: 5002536; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002537; sid: 5002537; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002538; sid: 5002538; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002539; sid: 5002539; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002540; sid: 5002540; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002541; sid: 5002541; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002542; sid: 5002542; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002543; sid: 5002543; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002544; sid: 5002544; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002545; sid: 5002545; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002546; sid: 5002546; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002547; sid: 5002547; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002548; sid: 5002548; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002549; sid: 5002549; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002550; sid: 5002550; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002551; sid: 5002551; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002552; sid: 5002552; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002553; sid: 5002553; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002554; sid: 5002554; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002555; sid: 5002555; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002556; sid: 5002556; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002557; sid: 5002557; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002558; sid: 5002558; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002559; sid: 5002559; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002560; sid: 5002560; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002561; sid: 5002561; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002509; sid: 5002509; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002510; sid: 5002510; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002511; sid: 5002511; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002512; sid: 5002512; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002513; sid: 5002513; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002514; sid: 5002514; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002515; sid: 5002515; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002516; sid: 5002516; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002517; sid: 5002517; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002518; sid: 5002518; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002519; sid: 5002519; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002520; sid: 5002520; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002521; sid: 5002521; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002522; sid: 5002522; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002523; sid: 5002523; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002524; sid: 5002524; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002525; sid: 5002525; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002526; sid: 5002526; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002527; sid: 5002527; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002528; sid: 5002528; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002529; sid: 5002529; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002530; sid: 5002530; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002531; sid: 5002531; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002532; sid: 5002532; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002533; sid: 5002533; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002534; sid: 5002534; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002535; sid: 5002535; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002536; sid: 5002536; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002537; sid: 5002537; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002538; sid: 5002538; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002539; sid: 5002539; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002540; sid: 5002540; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002541; sid: 5002541; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002542; sid: 5002542; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002543; sid: 5002543; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002544; sid: 5002544; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002545; sid: 5002545; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002546; sid: 5002546; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002547; sid: 5002547; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002548; sid: 5002548; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002549; sid: 5002549; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002550; sid: 5002550; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002551; sid: 5002551; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002552; sid: 5002552; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002553; sid: 5002553; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002554; sid: 5002554; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002555; sid: 5002555; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002556; sid: 5002556; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002557; sid: 5002557; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002558; sid: 5002558; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002559; sid: 5002559; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002560; sid: 5002560; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002561; sid: 5002561; rev:3;) + diff -Nru sagan-rules-10222015/windows-bluedot.rules sagan-rules-20160923/windows-bluedot.rules --- sagan-rules-10222015/windows-bluedot.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-bluedot.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,67 +28,67 @@ # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bluedot: reputation, by_src, $BLUEDOT_NETWORK; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002344; sid:5002344; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002345; sid:5002345; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002346; sid:5002346; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002347; sid:5002347; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002348; sid:5002348; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002349; sid:5002349; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002350; sid:5002350; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002351; sid:5002351; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; program: *Security*; parse_src_ip: 1; normalize; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002344; sid:5002344; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002345; sid:5002345; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002346; sid:5002346; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002347; sid:5002347; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002348; sid:5002348; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002349; sid:5002349; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002350; sid:5002350; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002351; sid:5002351; rev:4;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002455; sid: 5002455; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002456; sid: 5002456; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002457; sid: 5002457; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002458; sid: 5002458; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002459; sid: 5002459; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002460; sid: 5002460; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002461; sid: 5002461; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002462; sid: 5002462; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002463; sid: 5002463; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002464; sid: 5002464; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002465; sid: 5002465; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002466; sid: 5002466; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002467; sid: 5002467; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002468; sid: 5002468; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002469; sid: 5002469; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002470; sid: 5002470; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002471; sid: 5002471; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002472; sid: 5002472; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002473; sid: 5002473; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002475; sid: 5002475; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002476; sid: 5002476; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002477; sid: 5002477; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002478; sid: 5002478; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002479; sid: 5002479; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002480; sid: 5002480; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002481; sid: 5002481; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002482; sid: 5002482; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002483; sid: 5002483; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002484; sid: 5002484; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002485; sid: 5002485; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002486; sid: 5002486; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002487; sid: 5002487; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002488; sid: 5002488; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002489; sid: 5002489; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002490; sid: 5002490; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002491; sid: 5002491; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002492; sid: 5002492; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002493; sid: 5002493; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002494; sid: 5002494; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002495; sid: 5002495; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002496; sid: 5002496; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002497; sid: 5002497; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002498; sid: 5002498; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002499; sid: 5002499; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002500; sid: 5002500; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002501; sid: 5002501; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002502; sid: 5002502; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002503; sid: 5002503; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002504; sid: 5002504; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002505; sid: 5002505; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002506; sid: 5002506; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002507; sid: 5002507; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002508; sid: 5002508; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002455; sid: 5002455; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002456; sid: 5002456; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002457; sid: 5002457; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002458; sid: 5002458; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002459; sid: 5002459; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002460; sid: 5002460; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002461; sid: 5002461; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002462; sid: 5002462; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002463; sid: 5002463; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002464; sid: 5002464; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002465; sid: 5002465; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002466; sid: 5002466; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002467; sid: 5002467; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002468; sid: 5002468; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002469; sid: 5002469; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002470; sid: 5002470; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference:; url,wiki.quadrantsec.com/bin/view/Main/5002471; sid: 5002471; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002472; sid: 5002472; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002473; sid: 5002473; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002475; sid: 5002475; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002476; sid: 5002476; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002477; sid: 5002477; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002478; sid: 5002478; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002479; sid: 5002479; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002480; sid: 5002480; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002481; sid: 5002481; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002482; sid: 5002482; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002483; sid: 5002483; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002484; sid: 5002484; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002485; sid: 5002485; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002486; sid: 5002486; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002487; sid: 5002487; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002488; sid: 5002488; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002489; sid: 5002489; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002490; sid: 5002490; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002491; sid: 5002491; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002492; sid: 5002492; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002493; sid: 5002493; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002494; sid: 5002494; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002495; sid: 5002495; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002496; sid: 5002496; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002497; sid: 5002497; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002498; sid: 5002498; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002499; sid: 5002499; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002500; sid: 5002500; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002501; sid: 5002501; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002502; sid: 5002502; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002503; sid: 5002503; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002504; sid: 5002504; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002505; sid: 5002505; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002506; sid: 5002506; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002507; sid: 5002507; rev:4;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002508; sid: 5002508; rev:4;) diff -Nru sagan-rules-10222015/windows-brointel.rules sagan-rules-20160923/windows-brointel.rules --- sagan-rules-10222015/windows-brointel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-brointel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-brointel.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -29,67 +29,67 @@ # http://code.google.com/p/eventlog-to-syslog/ -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bro-intel: by_src; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002224; sid: 5002224; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002225; sid: 5002225; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002226; sid: 5002226; rev:4;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002227; sid: 5002227; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002228; sid: 5002228; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002229; sid: 5002229; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002230; sid: 5002230; rev:1;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002231; sid: 5002231; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bro-intel: by_src; program: *Security*; parse_src_ip: 1; normalize; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002224; sid: 5002224; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002225; sid: 5002225; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002226; sid: 5002226; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002227; sid: 5002227; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002228; sid: 5002228; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002229; sid: 5002229; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002230; sid: 5002230; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002231; sid: 5002231; rev:3;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bro-intel: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002563; sid:5002563; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002562; sid:5002562; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002404; sid:5002404; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002405; sid: 5002405; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002406; sid: 5002406; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002407; sid: 5002407; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002408; sid: 5002408; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002409; sid: 5002409; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002410; sid: 5002410; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002411; sid: 5002411; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002412; sid: 5002412; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002413; sid: 5002413; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002414; sid: 5002414; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002415; sid: 5002415; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002416; sid: 5002416; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002417; sid: 5002417; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002418; sid: 5002418; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002419; sid: 5002419; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002420; sid: 5002420; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002421; sid: 5002421; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002422; sid: 5002422; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002423; sid: 5002423; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002424; sid: 5002424; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002425; sid: 5002425; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002426; sid: 5002426; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002427; sid: 5002427; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002428; sid: 5002428; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002429; sid: 5002429; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002430; sid: 5002430; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002431; sid: 5002431; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002432; sid: 5002432; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002433; sid: 5002433; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002434; sid: 5002434; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002435; sid: 5002435; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002436; sid: 5002436; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002437; sid: 5002437; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002438; sid: 5002438; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002439; sid: 5002439; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002440; sid: 5002440; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002441; sid: 5002441; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002442; sid: 5002442; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002443; sid: 5002443; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002444; sid: 5002444; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002445; sid: 5002445; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002446; sid: 5002446; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002447; sid: 5002447; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002448; sid: 5002448; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002449; sid: 5002449; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002450; sid: 5002450; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002451; sid: 5002451; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002452; sid: 5002452; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002453; sid: 5002453; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002454; sid: 5002454; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bro-intel: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002563; sid:5002563; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002562; sid:5002562; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002404; sid:5002404; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002405; sid: 5002405; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002406; sid: 5002406; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002407; sid: 5002407; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002408; sid: 5002408; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002409; sid: 5002409; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002410; sid: 5002410; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002411; sid: 5002411; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002412; sid: 5002412; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002413; sid: 5002413; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002414; sid: 5002414; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002415; sid: 5002415; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002416; sid: 5002416; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002417; sid: 5002417; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002418; sid: 5002418; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002419; sid: 5002419; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002420; sid: 5002420; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002421; sid: 5002421; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002422; sid: 5002422; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002423; sid: 5002423; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002424; sid: 5002424; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002425; sid: 5002425; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002426; sid: 5002426; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002427; sid: 5002427; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002428; sid: 5002428; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002429; sid: 5002429; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002430; sid: 5002430; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002431; sid: 5002431; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002432; sid: 5002432; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002433; sid: 5002433; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002434; sid: 5002434; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002435; sid: 5002435; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002436; sid: 5002436; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002437; sid: 5002437; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002438; sid: 5002438; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002439; sid: 5002439; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002440; sid: 5002440; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002441; sid: 5002441; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002442; sid: 5002442; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002443; sid: 5002443; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002444; sid: 5002444; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002445; sid: 5002445; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002446; sid: 5002446; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002447; sid: 5002447; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002448; sid: 5002448; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002449; sid: 5002449; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002450; sid: 5002450; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002451; sid: 5002451; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002452; sid: 5002452; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002453; sid: 5002453; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002454; sid: 5002454; rev:2;) diff -Nru sagan-rules-10222015/windows-correlated.rules sagan-rules-20160923/windows-correlated.rules --- sagan-rules-10222015/windows-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-emet.rules sagan-rules-20160923/windows-emet.rules --- sagan-rules-10222015/windows-emet.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-emet.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-applocker.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -39,6 +39,6 @@ # 10.5.1.1|daemon|notice|notice|1d|2014-08-20|12:03:23|Security-Auditing| 4689: A process has exited. Subject: Security ID: S-1-5-21-148272361-2449339356-1462517947-1000 Account Name: champ Account Domain: Champ-BOX Logon ID: 0x1a285 Process Information: Process ID: 0x120 Process Name: C:\Program Files\EMET 4.1\EMET_Agent.exe Exit Status: 0x40010004 -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-EMET] EMET process stopped, but not due to reboot"; pcre: "/ 4689: | 593: /" ; content: "EMET_Agent.exe"; nocase; flowbits: isnotset, by_src, windows_reboot; program: Security-Auditing|Security; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002102; sid:5002102; rev:1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-EMET] EMET process stopped, but not due to reboot"; pcre: "/ 4689: | 593: /" ; content: "EMET_Agent.exe"; nocase; flowbits: isnotset, by_src, windows_reboot; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002102; sid:5002102; rev:2;) diff -Nru sagan-rules-10222015/windows-geoip.rules sagan-rules-20160923/windows-geoip.rules --- sagan-rules-10222015/windows-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -24,15 +24,17 @@ # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: Security*; parse_src_ip: 1; parse_port; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001873; sid: 5001873; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY "; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002016; sid: 5002016; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002020; sid: 5002020; rev:3;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY"; pcre: "/ 540: | 4624: /"; content:!"0.0 Source Port|3a| 0"; classtype: successful-user; program: *Security*; parse_src_ip: 1; parse_port; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001873; sid: 5001873; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY "; pcre: "/ 540: | 4624: /"; content: "Logon Type|3a| 8 "; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002337; sid: 5002337; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY "; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; content: !"0.0 Source Port|3a| 0"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002016; sid: 5002016; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002338; sid: 5002338; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002020; sid: 5002020; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; content: "RDP"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002339; sid: 5002339; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY "; pcre: "/ 540: | 4624: /"; content: "Logon Type|3a| 8 "; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002337; sid: 5002337; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Explicit Windows Logon "; pcre: "/ 552: | 4648: /"; content: "Target"; content: "Process"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002340; sid: 5002340; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002338; sid: 5002338; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; content: "RDP"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002339; sid: 5002339; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Attempted explicit windows logon "; pcre: "/ 552: | 4648: /"; content: "Target"; content: "Process"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; flowbits: set, recon, 86400; threshold: type limit, track by_src, count 2, seconds 300; content:!"0.0 Port|3a| 0"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002340; sid: 5002340; rev:4;) diff -Nru sagan-rules-10222015/windows-malware.rules sagan-rules-20160923/windows-malware.rules --- sagan-rules-10222015/windows-malware.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-malware.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-malware.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -24,11 +24,11 @@ # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001735; sid: 5001735; rev:5;) -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001736; sid: 5001736; rev:5;) -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001737; sid: 5001737; rev:5;) -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001738; sid: 5001738; rev:5;) -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; pcre: "/ 4657: | 567: | 4688: | 592: /"; content: "POSWDS"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001951; sid: 5001951; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001735; sid: 5001735; rev:6;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001736; sid: 5001736; rev:6;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001737; sid: 5001737; rev:6;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001738; sid: 5001738; rev:6;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; pcre: "/ 4657: | 567: | 4688: | 592: /"; content: "POSWDS"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001951; sid: 5001951; rev:5;) #************************************************************* @@ -39,19 +39,241 @@ #************************************************************* -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender/Anti-Virus/antivirus/i"; content: "stop control"; flowbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:6;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender/Anti-Virus/antivirus/i"; content: "stop control"; flowbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:7;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; pcre: "/ 4688: | 592: /"; pcre: "/(scvhost|svcdost|scvdost|iexplorer)\.exe/i"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001999; sid: 5001999; rev:2;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; pcre: "/ 4688: | 592: /"; pcre: "/File Name: (c|d|e)\x3a/"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002000; sid: 5002000; rev:2;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; pcre: "/ 4688: | 592: /"; content: "\svchost.exe"; content:!"C|3a|\WINDOWS\System32\svchost.exe"; nocase; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002001; sid: 5002001; rev:2;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; pcre: "/ 4688: | 592: /"; content: "\explorer.exe"; content:!"C|3a|\WINDOWS\explorer.exe"; nocase; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002002; sid: 5002002; rev:2;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; content: " 4097|3a| "; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002003; sid: 5002003; rev:3;) -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; pcre: "/ 4688: | 592: /"; pcre: "/win32dd.exe|win64dd.exe|cachedump|fgdump|gsecdump|lslsass|mimikatz|pwdump7|pwdumpx|pwdump|wce.exe|getlsasrvaddr|iam.exe|iam-alt|whosthere.exe|whosthere-alt|genhash/i"; program: Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002006; sid: 5002006; rev:3;) -#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002007; sid: 5002007; rev:1;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; pcre: "/ 4688: | 592: /"; pcre: "/(scvhost|svcdost|scvdost|iexplorer)\.exe/i"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001999; sid: 5001999; rev:3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; pcre: "/ 4688: | 592: /"; pcre: "/File Name: (c|d|e)\x3a/"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002000; sid: 5002000; rev:3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; pcre: "/ 4688: | 592: /"; content: "\svchost.exe"; content:!"C|3a|\WINDOWS\System32\svchost.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002001; sid: 5002001; rev:3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; pcre: "/ 4688: | 592: /"; content: "\explorer.exe"; content:!"C|3a|\WINDOWS\explorer.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002002; sid: 5002002; rev:3;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; content: " 4097|3a| "; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002003; sid: 5002003; rev:4;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; pcre: "/ 4688: | 592: /"; pcre: "/win32dd.exe|win64dd.exe|cachedump|fgdump|gsecdump|lslsass|mimikatz|pwdump7|pwdumpx|pwdump|wce.exe|getlsasrvaddr|iam.exe|iam-alt|whosthere.exe|whosthere-alt|genhash/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002006; sid: 5002006; rev:4;) +#alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002007; sid: 5002007; rev:2;) # Added by Champ Clark - 08/26/2014 -alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; pcre: "/ 4688: | 592: /"; content: "|3a|\Windows\system32\wbem\raswmi.dll"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002103; sid:5002103; rev:2;) +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; pcre: "/ 4688: | 592: /"; content: "|3a|\Windows\system32\wbem\raswmi.dll"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002103; sid:5002103; rev:3;) +# Added by Champ Clark - 06/08/2016 +# Security-Auditing| 4663: AUDIT_SUCCESS An attempt was made to access an object. Subject: *Security ID: S-1-5-21-3033682373-1303307761-3711879957-1000 Account Name: frankw Account Domain: frankw-PC Logon ID: 0x144f4 Object: Object Server: *Security Object Type: File Object Name: C:\ProgramData\Microsoft\User Account Pictures\B2DFD6E96212209F0583673878AA9EF6.locky Handle ID: 0x5d68 Process Information: Process ID: 0x6a8 Process Name: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe Access Request Information: Accesses: WriteAttributes Access Mask: 0x100 + +alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locky "; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002801; sid:5002801; reference: url,decrypter.emsisoft.com; rev:5;) + +# Ransomware rules By Corey Fisher (cfisher@quadrantsec.com) & Bryan Manradge. +# 04/11/2016 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "_Locky_recover_instructions.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002804; sid:5002804; rev:3;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_YOUR_FILES|DECRYPT_INSTRUCTION/i"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4; reference: url,wiki.quadrantsec.com/bin/view/Main/5002805; sid:5002805; rev:4;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_DECRYPT.txt"; content: "WriteData"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002806; sid:5002806; rev:3;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "ReadDecryptFilesHere.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002807; reference: url,decrypter.emsisoft.com;sid:5002807; rev:4;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_TO_DECRYPT_YOUR_FILES.txt|Howto_Restore_FILES.txt|_how_recover_.TXT|_H_e_l_p_RECOVER_INSTRUCTIONS.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus; reference: url,wiki.quadrantsec.com/bin/view/Main/5002808; sid:5002808; rev:4;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\+-xxx-HELP-xxx-\+[0-9a-zA-Z]+-\+\.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002809; sid:5002809; rev:4;) + +# More Ransomware rules by Champ Clark (cclark@quadrantsec.com). +# +# Data for these ransomware rules come from: +# https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g +# http://www.nyxbone.com/malware/RansomwareOverview.html + +# CryptoHasYou. - Trojan:Win32/Dynamer!ac or Rakhni + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding\"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:7;) + +# CryptoHasYou + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "YOUR_FILES_ARE_LOCKED.txt"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002820; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002820; rev:4;) + +# 7ev3n - Ransom:Win32/Empercrypt.A + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content:".%sagan% ",R5A,R4A; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002821;reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url, https://github.com/hasherezade/malware_analysis/tree/master/7ev3n; sid:5002821; rev:7;) + +# BitCryptor - Win32/Cribit or CoinVault - Ransom: MSIL/Vaultlock.A + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".clf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002822; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,noransom.kaspersky.com; sid:5002822; rev:6;) + +# Cerber - Win32/Cerber + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cerber "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002823; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002823; rev:5;) + +# Chimera - Win32/Chicrypt + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002824; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html;sid:5002824; rev:5;) + +# Coverton + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", coverton,enigma,czvxce; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002825; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002825; rev:5;) + +# CryptInfinite + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crinf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002826; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002826; rev:5;) + +# CryptoJoker + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crjoker "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002827; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002827; rev:5;) + +# CryptoTorLocker2015 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CryptoTorLocker2015! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002828; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002828; rev:5;) + +# CryptXXX or Gomasom + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002829; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002829; rev:5;) + +# Hi Buddy! or Rakhni + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cry "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002830; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002830; rev:5;) + +# iLock, iLockLight or Lortok + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crime "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002831; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002831; rev:5;) + +# Jigsaw - Ransom:MSIL/JigsawLocker.A + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", btc,kkk,fun,gws; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002832; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom; sid:5002832; rev:5;) + +# Job Crypter, KimcilWare, SkidLocker, Pompous, Strictor or Rakhni + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002833; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002833; rev:6;) + +# KeyBTC - Ransom: Win32/Isda - Ransom: BAT/Xibow + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".keybtc@inbox_com "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002834; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002834; rev:5;) + +# KimcilWare + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".kimcilware "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002835; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it; sid:5002835; rev:5;) + +# LeChiffre + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".lechiffre "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002836; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com/lechiffre; sid:5002836; rev:5;) + +# LowLevel04 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LowLevel04 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".oor."; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002847; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002847; rev:5;) + +# Magic + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".magic "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002837; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002837; rev:5;) + +# MireWare + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] MireWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".fucked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002838; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002838; rev:5;) + +# Nemucod + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypted "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002839; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; reference: url,github.com/Antelox/NemucodFR; sid:5002839; rev:7;) + + +# Offline ransomware + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002840; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002840; rev:5;) + +# OMG! Ransomware + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] OMG! ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".LOL! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002841; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002841; rev:4;) + +# Radamant + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".RADAMANT "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002842; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; sid:5002842; rev:4;) + +# Rakhni + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",kraken,darkness,nochance,oshit,oplata@qq_com,relock@qq_com,crypto,helpdecrypt@ukr.net,pizda@qq_com,dyatel@qq_com,_ryp,nalog@qq_com,chifrator@qq_com,gruzin@qq_com,troyancoder@qq_com,encrypted,AES256,hb15; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002843; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/us/viruses/disinfection/10556; sid:5002843; rev:6;) + +# RemindMe + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RemindMe ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.remindme |decrypt_your_files.html/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002844; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002844; rev:5;) + +# Rokku + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".rokku "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002845; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002845; rev:4;) + +# Samas-Samsam + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas-Samsam ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",encryptedAES,encryptedRSA,encedRSA,justbtcwillhelpyou,btcbtcbtc; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002846; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002846; rev:5;) + +# Sanction + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sanction ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sanction "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002848; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002848; rev:4;) + +# Sport + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sport ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sport "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002849; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002849; rev:3;) + +# Surprise + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".suprise "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002850; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002850; rev:3;) + +# TeslaCrypt 0.x - 2.2.0 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vvv,ecc,exx,ezz,abc,aaa,zzz,xyz; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002851; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt; reference: url,www.talosintel.com/teslacrypt_tool; sid:5002851; rev:3;) + +# TeslaCrypt 3.0+ + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",micro,xxx,ttt; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002852; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002852; rev:3;) + +# Troldesh + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",better_call_saul,xtbl; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002853; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002853; rev:2;) + +# VaultCrypt + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vault,xort; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002854; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002854; rev:3;) + +# Virus-Encoder + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Virus-Encoder ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002855; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002855; rev:3;) + +# Xorist + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", EnCiPhErEd,73i87A,p5tkjw,PoAr2w; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002856; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/2911; sid:5002856; rev:3;) + +# XRTN + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] XRTN ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002857; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002857; rev:3;) + +# CryptFIle2 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptFIle2 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002858; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002858; rev:3;) + +# Cryaki + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryaki ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002859; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/8547; sid:5002859; rev:4;) + +# CTB-Locker + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CTB-Locker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ctbl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002860; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002860; rev:3;) + +# El-Polocker + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ha3 "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002861; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002861; rev:3;) + +# Mobef + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Mobef ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",KEYZ,KEYH0LES; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002862; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002862; rev:3;) + +# Alpha Ransomware + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".encrypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002863; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002863; rev:3;) + +# WonderCrypter + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.h3ll |SECRETISHIDINGHEREINSIDE.KEY|YOUGOTHACKED.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002864; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002864; rev:5;) + +# Zeta + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_YOUR_FILES.HTML"; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002865; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002865; rev:3;) + +# PLAUGE17 (?) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.PLAUGE17 |PLAUGE17.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002866; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002866; rev:5;) + +# Unknown strains of ransomware + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.crypttt |\.8lock8 |\.neitrino |\.xcrypt |!!!ATTENTION.TXT!!!, READ_IT\.TXT|FILES_BACK.TXT|WHAT IS SQ_.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002867; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002867; rev:3;) diff -Nru sagan-rules-10222015/windows-misc.rules sagan-rules-20160923/windows-misc.rules --- sagan-rules-10222015/windows-misc.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-misc.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-misc.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -28,8 +28,8 @@ # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; pcre: "/ 861: | 5154: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000306; sid: 5000306; rev:6;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; pcre: "/ 577: | 4673: /"; classtype: successful-admin; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000307; sid: 5000307; rev:5;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; pcre: "/ 861: | 5154: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000306; sid: 5000306; rev:7;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; pcre: "/ 577: | 4673: /"; classtype: successful-admin; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000307; sid: 5000307; rev:6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?]"; classtype: policy-violation; program: Bonjour; reference: url,wiki.quadrantsec.com/bin/view/Main/5000308; sid: 5000308; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application error"; content: " 1001|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000309; sid: 5000309; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application hang"; content: " 1002|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000310; sid: 5000310; rev:3;) @@ -83,9 +83,9 @@ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MSSQLServer I/O error"; content: " 823|3a| "; classtype: hardware-event; program: Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001096; sid: 5001096; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application uninstall"; content: " 11724|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001182; sid: 5001182; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application install"; content: " 11707|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001183; sid: 5001183; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; pcre: "/ 513: | 4609: /"; classtype: program-error; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001184; sid: 5001184; rev:3;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; pcre: "/ 513: | 4609: /"; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001184; sid: 5001184; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] File system full"; content: " 13570|3a| "; classtype: program-error; program: NtFrs|Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001191; sid: 5001191; rev:2;) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; pcre: "/ 520: | 4616: /"; content:!"|3a|\Program Files\VMware\VMware Tools\vmtoolsd.exe"; classtype: program-error; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001194; sid: 5001194; rev:6;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; pcre: "/ 520: | 4616: /"; content:!"|3a|\Program Files\VMware\VMware Tools\vmtoolsd.exe"; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001194; sid: 5001194; rev:7;) # DHCP-Server| 1063: There are no IP addresses available for lease in the scope or superscope "VLAN_311_Example". # DHCP-Server| 1020: Scope, 10.100.1.0, is 97 percent full with only 2 IP addresses remaining. @@ -96,23 +96,41 @@ # BAD RULE BELOW #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope if full. No IP addresses left"; content: " 5001650|3a| "; classtype: network-event; program: DHCP-Server; reference: url,wiki.quadrantsec.com/bin/view/Main/5001650; sid: 5001650; rev:2;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; pcre: "/ 517: | 1102: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001185; sid: 5001185; rev:4;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; pcre: "/ 517: | 1102: /"; classtype: system-event; program: *Security*|Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001185; sid: 5001185; rev:6;) # Brian Echeverry - 05/07/2015 # SID 5002272 and 5002273 are noisy. -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002272; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002273; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002274; rev:1;) -#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002275; rev:1;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: *Security*; sid:5002272; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: *Security*; sid:5002273; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: *Security*; sid:5002274; rev:2;) +#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: *Security*; sid:5002275; rev:2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: USER32; flowbits: set, reboot.windows, 60; flowbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:6;) # Added by Brian Echeverry (09/22/2015) -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: Microsoft_Antimalware; content: " 2001|3A| "; reference: url,wiki.quadrantsec.com/bin/view/Main/5002392; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; sid:5002392; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: Microsoft_Antimalware; content: " 2001|3A| "; reference: url,wiki.quadrantsec.com/bin/view/Main/5002392; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; sid:5002392; rev:2;) + +# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; content: " 521|3a| "; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002564; sid:5002564; rev:3;) + +# Added by Champ Clark III (04/20/2016) - Great read at http://pastebin.com/raw/0SNSvyjJ + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of service via SCM"; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: Service_Control_Manager; reference: url,wiki.quadrantsec.com/bin/view/Main/5002817; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002817; rev:2;) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of new service via Security Audit "; pcre: "/ 4697: | 601: /"; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002818; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002818; rev:2;) + +# Added by Champ Clark III (08/19/2016) + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Suspicious event logging service shut down."; content: " 1100|3a| "; flowbits: isnotset,by_src,reboot.windows; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002941; sid:5002941; rev:3;) + +# Added by Champ Clark III (09/01/2016) +# These target strange errors seen by evtsys. + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Event log has been cleared."; content: " 104|3a| "; content: "cleared"; classtype: suspicious-traffic; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5002954; sid:5002954; rev:1;) +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Subscription calledback error recieved. Logging has likely stopped."; content: " 570|3a| "; content: "callback"; classtype: suspicious-traffic; program: The; reference: url,wiki.quadrantsec.com/bin/view/Main/5002955; sid:5002955; rev:1;) -# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 -alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; content: " 521|3a| "; classtype: program-error; program: Security|Security-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5002564; sid:5002564; rev:1;) diff -Nru sagan-rules-10222015/windows-mssql.rules sagan-rules-20160923/windows-mssql.rules --- sagan-rules-10222015/windows-mssql.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-mssql.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-mssql.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -50,7 +50,7 @@ #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MSSQL] Login Failure"; content: " 18456|3a| "; classtype: unsuccessful-user; program: MSSQL*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001640; sid: 5001640; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure - Brute force [25/1]"; content: " 18456|3a| "; content:!"local machine"; content:!"named pipe"; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001641; sid: 5001641; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure - Brute force [25/1]"; content: " 18456|3a| "; content:!"local machine"; content:!"named pipe"; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001641; sid: 5001641; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1]"; content: " 18452|3a| "; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; flowbits: set,brute_force, 86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002402; sid:5002402; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1]"; content: " 18452|3a| "; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; flowbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002402; sid:5002402; rev:2;) diff -Nru sagan-rules-10222015/windows-normalize.rulebase sagan-rules-20160923/windows-normalize.rulebase --- sagan-rules-10222015/windows-normalize.rulebase 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-normalize.rulebase 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -# Sagan windows-normalize.rulebase -# Copyright (c) 2009-2015, Quadrant Information Security -# All rights reserved. -# -# This file is used in conjunction with liblognorm. -# -# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list -# -#************************************************************* -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* - -#prefix= - -# Note the space at the end! -# -#rule=: 529: NT AUTHORITY\\SYSTEM: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% - -#rule=: 529: S-1-5-18: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% - diff -Nru sagan-rules-10222015/windows-owa-blacklist.rules sagan-rules-20160923/windows-owa-blacklist.rules --- sagan-rules-10222015/windows-owa-blacklist.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa-blacklist.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa-blacklist.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-owa-bluedot.rules sagan-rules-20160923/windows-owa-bluedot.rules --- sagan-rules-10222015/windows-owa-bluedot.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa-bluedot.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa-bluedot.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -24,5 +24,5 @@ # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002352; sid:5002352; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bluedot: type ip_reputation, track by_src, none, Malicious, Tor, Honeypot; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002352; sid:5002352; rev:2;) diff -Nru sagan-rules-10222015/windows-owa-brointel.rules sagan-rules-20160923/windows-owa-brointel.rules --- sagan-rules-10222015/windows-owa-brointel.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa-brointel.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa-brointel.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-owa-correlated.rules sagan-rules-20160923/windows-owa-correlated.rules --- sagan-rules-10222015/windows-owa-correlated.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa-correlated.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa-correlated.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-owa-geoip.rules sagan-rules-20160923/windows-owa-geoip.rules --- sagan-rules-10222015/windows-owa-geoip.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa-geoip.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa-geoip.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/windows-owa.rules sagan-rules-20160923/windows-owa.rules --- sagan-rules-10222015/windows-owa.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/windows-owa.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan windows-owa.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list @@ -36,6 +36,6 @@ # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 GET /owa/auth/logon.aspx replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 443 - 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) cookieTest=1;+OutlookSession=ba7a32d49c144484d9fb790bd1f;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 - 200 0 0 0 # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 POST /owa/auth.owa - 443 bob 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) OutlookSession=b87b312d49b7441891b1099fb790bd1e;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 https://webmail.example.org/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 401 1 1326 3156 -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA] Login failure - Brute force [25/1]"; content: "/owa/auth/logon.aspx"; nocase; content: "reason=2&"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002264; sid: 5002264; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA] Login failure - Brute force [25/1]"; content: "/owa/auth/logon.aspx"; nocase; content: "reason=2&"; flowbits: set,brute_force,21600; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002264; sid: 5002264; rev:5;) diff -Nru sagan-rules-10222015/windows-sysmon.rules sagan-rules-20160923/windows-sysmon.rules --- sagan-rules-10222015/windows-sysmon.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/windows-sysmon.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,79 @@ +# Sagan windows-sysmon.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +# Sysmon| 1: Process Create: UtcTime: 2016-04-08 03:54:58.330 ProcessGuid: {E67F94C7-2B92-5707-0000-001050880400} ProcessId: 2004 Image: C:\Windows\System32\audiodg.exe CommandLine: C:\Windows\system32\AUDIODG.EXE 0x74c CurrentDirectory: C:\Windows User: NT AUTHORITY\LOCAL SERVICE LogonGuid: {E67F94C7-2A7B-5707-0000-0020E5030000} LogonId: 0x3e5 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA1=F033FD30AACD0183BFC30861891A92B56AC2468B,MD5=D5CCA1453B98A5801E6D5FF0FF89DC6C,SHA256=85F2C2480AAC31B6092187B431A562D79D4CFB1324F925C85055ABAB2483264B ParentProcessGuid: {E67F94C7-2A7B-5707-0000-00102A9E0000} ParentProcessId: 772 ParentImage: C:\Windows\System32\svchost.exe ParentCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted + +# Created by Champ Clark 04/08/2016. You'll need PSEXEC_MD5 defined in your sagan.conf! + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; content: " 1: "; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002799; sid:5002799; rev:1;) + + +# Locky Ransomware +# Champ Clark 04/08/2016 + +# Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\Windows\System32\notepad.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\frankw\Desktop\_HELP_instructions.txt CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:1;) + +# vssadmin.exe is sometimes used by malware to delete shadow volume copied. Below is Locky: +# Champ Clark 04/08/2016 + +# 1: Process Create: UtcTime: 2016-04-08 05:28:44.314 ProcessGuid: {E67F94C7-418C-5707-0000-00103EB31C00} ProcessId: 2404 Image: C:\Windows\System32\vssadmin.exe CommandLine: vssadmin.exe Delete Shadows /All /Quiet CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=09FAFEB1B8404124B33C44440BE7E3FDB6105F8A,MD5=E23DD973E1444684EB36365DEFF1FC74,SHA256=4DE7FA20E3224382D8C4A81017E5BDD4673AFBEF9C0F017E203D7B78977FBF8C ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware"; content: " 1: "; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; classtype: trojan-activity; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002803; sid:5002803; rev:1;) + +# NEW RULES: + +# daemon|notice|notice|1d|2016-04-08|05:52:28|Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:52:28.315 ProcessGuid: {E67F94C7-471C-5707-0000-0010FB0B1A00} ProcessId: 688 Image: C:\Windows\System32\wbem\WMIC.exe CommandLine: "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9 ParentProcessGuid: {E67F94C7-471A-5707-0000-0010DAF41900} ParentProcessId: 2796 ParentImage: C:\Windows\jacjfunqpvji.exe ParentCommandLine: C:\Windows\jacjfunqpvji.exe + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; content: " 1: "; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002810; sid:5002810; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.199 ProcessGuid: {E67F94C7-7D82-5708-0000-001042E21B00} ProcessId: 2628 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF4 1A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002811; sid:5002811; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.870 ProcessGuid: {E67F94C7-7D82-5708-0000-0010C8731C00} ProcessId: 768 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002812; sid:5002812; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:56:51|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:51.432 ProcessGuid: {E67F94C7-7D83-5708-0000-001007D91C00} ProcessId: 2256 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get Version /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; content: " 1: "; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002813; sid:5002813; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.213 ProcessGuid: {E67F94C7-7DBD-5708-0000-001099CD0600} ProcessId: 1420 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsh1DDF.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020CFB40100} LogonId: 0x1b4cf TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB4-5708-0000-00100B100600} ParentProcessId: 2628 ParentImage: C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002814; sid:5002814; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.068 ProcessGuid: {E67F94C7-7DBD-5708-0000-0010AF1D0700} ProcessId: 668 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get Name /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsj3A92.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020DCBC0100} LogonId: 0x1bcdc TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB3-5708-0000-0010143A0600} ParentProcessId: 592 ParentImage: C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe" + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002815; sid:5002815; rev:1;) + +# daemon|notice|notice|1d|2016-04-09|03:55:09|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:55:09.240 ProcessGuid: {E67F94C7-7D1D-5708-0000-001041E40700} ProcessId: 1556 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: wmic computersystem get model /format:list CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32FD-5707-0000-00203DB30100} LogonId: 0x1b33d TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D1C-5708-0000-0010CDC80700} ParentProcessId: 2936 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; content: " 1: "; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002816; sid:5002816; rev:1;) + + diff -Nru sagan-rules-10222015/wordpress.rules sagan-rules-20160923/wordpress.rules --- sagan-rules-10222015/wordpress.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/wordpress.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan wordpress.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/xinetd.rules sagan-rules-20160923/xinetd.rules --- sagan-rules-10222015/xinetd.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/xinetd.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan xinetd.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list diff -Nru sagan-rules-10222015/yubikey.rules sagan-rules-20160923/yubikey.rules --- sagan-rules-10222015/yubikey.rules 1970-01-01 00:00:00.000000000 +0000 +++ sagan-rules-20160923/yubikey.rules 2016-09-21 02:52:28.000000000 +0000 @@ -0,0 +1,28 @@ +# Sagan yubikey.rules +# Copyright (c) 2009-2016, Quadrant Information Security +# All rights reserved. +# +# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list +# +#************************************************************* +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* + +alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[YUBIKEY] Invalid OTP"; program: yk_chkpwd; content: "password check failed for user"; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002735; sid:5002735; rev:1;) diff -Nru sagan-rules-10222015/zeus.rules sagan-rules-20160923/zeus.rules --- sagan-rules-10222015/zeus.rules 2015-10-22 15:19:05.000000000 +0000 +++ sagan-rules-20160923/zeus.rules 2016-09-21 02:52:28.000000000 +0000 @@ -1,5 +1,5 @@ # Sagan zeus.rules -# Copyright (c) 2009-2015, Quadrant Information Security +# Copyright (c) 2009-2016, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list