59 lines
18 KiB
Plaintext
59 lines
18 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#----------------------
|
|
# INDICATOR-SCAN RULES
|
|
#----------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established,no_stream; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:policy max-detect-ips drop, service ssh; reference:cve,2012-6066; reference:cve,2015-5600; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; classtype:misc-activity; sid:19559; rev:10;)
|
|
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:8;)
|
|
# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:8081; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Proxyfire.net anonymous proxy scan"; flow:to_server,established; content:"proxyfire.net/fastenv"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.proxyfire.net/index.php; classtype:network-scan; sid:18179; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan iPhone agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (iPhone|3B| U|3B| CPU iPhone OS 4_1 like Mac OS X|3B| en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23604; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan default agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1078; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23601; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan Firefox agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| en-US|3B| rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23602; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan MSIE agent string"; flow:established,to_server; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| InfoPath.1|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23603; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN DirBuster brute forcing tool detected"; flow:to_server,established; content:"User-Agent|3A| DirBuster"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; reference:url,sourceforge.net/projects/dirbuster/; classtype:web-application-attack; sid:19933; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN sqlmap SQL injection scan attempt"; flow:to_server,established; content:"User-Agent|3A| sqlmap"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,sqlmap.sourceforge.net; classtype:web-application-activity; sid:19779; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANIPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANIPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28003; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANPPPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANPPPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28002; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent Masscan"; flow:to_server,established; content:"User-Agent|3A| masscan"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/robertdavidgraham/masscan/blob/master/doc/masscan.8.markdown; classtype:misc-activity; sid:28301; rev:3;)
|
|
# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent The Mole"; flow:to_server,established; content:"User-Agent: Mozilla/The Mole"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,themole.sourceforge.net/; classtype:misc-activity; sid:29462; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_server,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40095; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_client,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40094; rev:2;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response"; flow:to_server; dsize:20; content:"|00 01|random_file|00|octet|00|"; depth:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service tftp; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-recon; sid:41793; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN PHP info leak attempt"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,secure.php.net/manual/en/function.phpinfo.php; classtype:attempted-recon; sid:42289; rev:2;)
|
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET 53 (msg:"INDICATOR-SCAN DNS version.bind string information disclosure attempt"; flow:to_server; content:"versio"; fast_pattern; content:"|00 10 00 03|"; within:260; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-0171; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:42785; rev:4;)
|