345 lines
133 KiB
Plaintext
345 lines
133 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#--------------------
|
|
# POLICY-OTHER RULES
|
|
#--------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Shockwave Flash file using doswf packer"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"doswf"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:37929; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Shockwave Flash suspicious flash file using URLDownloadToFileA"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"URLDownloadToFileA"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:37928; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Shockwave Flash file using doswf packer"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"doswf"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:policy-violation; sid:37923; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Shockwave Flash suspicious flash file using URLDownloadToFileA"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"URLDownloadToFileA"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:37922; rev:2;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER Microsoft Windows SMB potential group policy fallback exploit attempt"; flow:to_server,established,no_stream; content:"|FF|SMB"; depth:4; offset:4; content:"|5C 00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|"; fast_pattern:only; detection_filter:track by_src,count 5,seconds 2; metadata:service netbios-ssn; reference:cve,2015-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-014; classtype:policy-violation; sid:33429; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; metadata:ruleset community; reference:cve,2001-0663; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Seagate BlackArmor administrator password reset attempt"; flow:to_server,established; content:"/d41d8cd98f00b204e9800998ecf8427e.php"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:cve,2012-2568; reference:url,www.kb.cert.org/vuls/id/515283; classtype:attempted-admin; sid:23102; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER script tag in URI - likely cross-site scripting attempt"; flow:to_server,established; content:"<SCRIPT"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1857; reference:cve,2014-4075; reference:cve,2014-4116; reference:cve,2015-1653; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-036; classtype:web-application-attack; sid:7070; rev:22;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community, service ftp; classtype:misc-activity; sid:553; rev:13;)
|
|
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; classtype:attempted-admin; sid:2044; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2040; rev:7;)
|
|
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2042; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; fast_pattern:only; metadata:ruleset community; classtype:protocol-command-decode; sid:1771; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9030:9031 (msg:"POLICY-OTHER TOR traffic anonymizer server request"; flow:established,to_server; content:"GET /tor/server"; fast_pattern:only; classtype:policy-violation; sid:9324; rev:5;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY-OTHER Outbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12065; rev:5;)
|
|
# alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY-OTHER Inbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12068; rev:5;)
|
|
# alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY-OTHER Inbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12066; rev:6;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY-OTHER Outbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12067; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY-OTHER TOR proxy connection initiation - second alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13698; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY-OTHER TOR proxy connection initiation - alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13697; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Microsoft Windows Dr. Watson error reporting attempt"; flow:to_server,established; content:"User-Agent|3A| MSDW|0D 0A|"; fast_pattern:only; http_header; content:"watson.microsoft.com"; http_header; content:"StageOne"; http_uri; metadata:service http; reference:url,oca.microsoft.com/en/dcp20.asp; classtype:policy-violation; sid:13864; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER proxycgi proxy connection detected"; flow:established,to_server; content:"/cgi-bin/anon-www.cgi/http"; fast_pattern:only; http_uri; metadata:service http; reference:url,anonymouse.org; classtype:policy-violation; sid:19475; rev:4;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER hamachi VPN outbound traffic detected"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|0A|hamachi-dc|0F|logmein-gateway|03|com"; fast_pattern:only; reference:url,secure.logmein.com/products/hamachi2/download.aspx; classtype:policy-violation; sid:19474; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER stunnel proxy connection detected"; flow:established,to_client; content:"|13 16|Stunnel Developers Ltd"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Stunnel; classtype:policy-violation; sid:19473; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER proxytunnel proxy connection detected"; flow:established,to_server; content:"CONNECT localhost|3A|22"; depth:20; nocase; metadata:service http; reference:url,proxytunnel.sourceforge.net; classtype:policy-violation; sid:19472; rev:4;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-OTHER dnstunnel v0.5 outbound traffic detected"; flow:to_server,no_stream; content:"|01 00|"; depth:2; offset:2; byte_test:1,>,20,12; content:!"sophosxl|03|net"; content:!"senderbase|03|org"; content:!"proofpoint|03|com"; content:!"|01|j|02|e5|02|sk"; content:"|00 10 00 01|"; offset:34; detection_filter:track by_src, count 10, seconds 1; metadata:service dns; reference:url,www.hsc.fr/ressources/outils/dns2tcp/index.html.en; classtype:policy-violation; sid:19471; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Rapidshare file-sharing site contacted"; flow:established,to_server; content:"auth.html?"; nocase; http_uri; content:"authcode="; distance:0; nocase; http_uri; content:"Host|3A| www.rapidshare.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.rapidshare.com; classtype:policy-violation; sid:19737; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Filesonic file-sharing site contacted"; flow:established,to_server; content:"Host|3A|"; nocase; http_header; content:"www.filesonic.com"; within:50; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.filesonic.com; classtype:policy-violation; sid:19735; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Megaupload file-sharing site contacted"; flow:established,to_server; content:"/upload_done.php"; nocase; http_uri; content:".megaupload.com"; fast_pattern:only; http_header; pcre:"/^Host\x3A[^\r\n]+\.megaupload\.com/Hsmi"; metadata:service http; reference:url,www.megaupload.com; classtype:policy-violation; sid:19736; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER logmein.com connection attempt"; flow:to_client,established; content:"secure|2E|logmein|2E|com"; fast_pattern:only; reference:url,secure.logmein.com; classtype:policy-violation; sid:19780; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Glype proxy usage detected"; flow:established,to_server; content:"/browse.php?"; nocase; http_uri; content:"u=Oi8v"; distance:0; nocase; http_uri; content:"b="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.glype.com; classtype:policy-violation; sid:20136; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Privoxy disabling of x-filter"; flow:to_server,established; content:"x|2D|filter|3A|"; nocase; http_header; content:"No"; within:10; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20243; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER possible forced privoxy disabling"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; content:"http|3A 2F 2F|www|2E|privoxy|2E|org|2F|config|2F 3F|set|3D|disable"; within:100; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20244; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER remote privoxy config access"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; content:"http|3A 2F 2F|www|2E|privoxy|2E|org|2F|config|2F|"; within:100; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20245; rev:6;)
|
|
# alert tcp any any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP Printer firmware update attempt"; flow:to_server,established; content:"@PJL COMMENT MODEL=HP"; fast_pattern:only; content:"|1B|%-12345X@PJL"; depth:13; nocase; content:"@PJL UPGRADE SIZE="; nocase; classtype:policy-violation; sid:20658; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10651 (msg:"POLICY-OTHER Progrea Movicon TCPUploadServer.exe unauthenticated access attempt"; flow:established,to_server; content:"MovX"; depth:4; nocase; pcre:"/^[\x31-\x37\x42]/R"; reference:bugtraq,46907; reference:cve,2011-2963; classtype:attempted-admin; sid:20758; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"POLICY-OTHER TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,47818; reference:cve,2011-1511; classtype:web-application-attack; sid:20873; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt"; flow:to_server,established; content:"/SiteScope/j_security_check"; fast_pattern:only; http_uri; pcre:"/(j_username\x3D\x26)?[^\n]*j_password\x3D(\x26|$)([^\n]*j_username\x26(\x26|$))?/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:20996; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt"; flow:to_server,established; content:"/SiteScope/j_security_check"; http_uri; content:"j_username|3D|integrationViewer"; fast_pattern:only; pcre:"/j_password\x3DvKm46(\x2A|\x25\x32\x41)sdH(\x24|\x25\x32\x34)8109(\x23|\x25\x32\x33)JLSudh(\x3A|\x25\x33\x41)(\x29|\x25\x32\x39)/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:20995; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Telnet protocol specifier in web page attempt"; flow:to_client,established; file_data; content:"telnet|3A 2F 2F|"; fast_pattern:only; pcre:"/(src|href)\s*=\s*(\x22|\x27|)telnet\x3a\x2f\x2f/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11731; reference:cve,2004-1541; classtype:policy-violation; sid:19669; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:ruleset community, service http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Microsoft Windows 98 User-Agent string"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]+Windows 98/Hsmi"; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx; classtype:policy-violation; sid:21556; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8090] (msg:"POLICY-OTHER Cisco Network Registrar default credentials authentication attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2F|login|2E|js"; nocase; http_uri; content:"name=admin"; nocase; http_uri; content:"pass"; nocase; http_uri; content:"changeme"; within:12; http_uri; metadata:service http; reference:cve,2011-2024; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/bid/48076; classtype:default-login-attempt; sid:20691; rev:7;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1035; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER TCP packet with urgent flag attempt"; flow:stateless; flags:U+; classtype:protocol-command-decode; sid:24378; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion admin API access attempt"; flow:to_server,established; content:"/CFIDE/adminapi"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25976; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion component browser access attempt"; flow:to_server,established; content:"/CFIDE/componentutils"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25977; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion admin interface access attempt"; flow:to_server,established; content:"/CFIDE/administrator"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25975; rev:2;)
|
|
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"POLICY-OTHER Achievement Unlocked -- Billion Dollar Company"; flow:to_server,established; content:"We've hit 1bn before but now we're solidly in there. Woot"; fast_pattern:only; reference:url,www.nasdaq.com/article/sourcefire-inc-fire-surged-to-a-new-high-on-q4-results-20120223-00248; classtype:policy-violation; sid:20000; rev:6;)
|
|
# alert tcp $EXTERNAL_NET [$FILE_DATA_PORTS,443] -> $HOME_NET any (msg:"POLICY-OTHER Microsoft ADFS endpoint information disclosure attempt"; flow:to_client,established; file_data; content:"/adfs/services/trust/2005/windowstransport"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3185; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-066; classtype:misc-activity; sid:27609; rev:3;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1028; reference:url,attack.mitre.org/techniques/T1035; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:30281; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative,rawbytes; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=ZWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31401; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=FWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31400; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=CWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31399; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt"; flow:to_server,established; content:"|0D 0A|X-"; fast_pattern:only; http_header; content:".swf"; http_header; pcre:"/^Host:\s*(?P<hostname>[^\s\x2f\x5c]+)[\s\x2f\x5c].*?Referer:\s*https?:\x2f\x2f(?!(?P=hostname))[^\n]*\x2eswf([\r\n\?]|$)/smiH"; metadata:service http; reference:bugtraq,68455; reference:cve,2014-0537; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31614; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HP Universal CMDB default credentials authentication attempt"; flow:to_server,established; content:"/axis2/axis2-admin/login"; fast_pattern:only; http_uri; content:"username=admin"; nocase; content:"password=axis2"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,68363; reference:cve,2014-2617; reference:url,attack.mitre.org/techniques/T1078; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c04357076; classtype:policy-violation; sid:31846; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6060 (msg:"POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt"; flow:to_server,established; content:"GET"; depth:3; content:"ReadUsersFromMasterServlet"; within:30; nocase; metadata:service http; reference:bugtraq,69443; reference:cve,2014-5377; classtype:policy-violation; sid:32092; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9001 (msg:"POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt"; flow:to_server,established; content:"|00 00 00 06|trigeo|00 00 00 06|trigeo"; reference:bugtraq,69559; reference:cve,2014-5504; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32068; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"src="; within:30; isdataat:100,relative; content:!"|2E|js"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:policy-violation; sid:32481; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt"; flow:to_server,established; content:"U2NoZWR1bGVyOiFAIyRzY2hlZHVsZXIkI0Ah"; http_header; metadata:service http; reference:bugtraq,70895; reference:cve,2014-8516; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32526; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY-OTHER SSLv3 CBC client connection attempt"; flow:to_server,established; ssl_version:sslv3; ssl_state:client_hello; content:"|16 03 00|"; depth:3; content:"|00 00 02 00 2F|"; within:5; distance:40; metadata:service ssl; reference:cve,2014-3566; classtype:attempted-recon; sid:32566; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Eventlog Analyzer information disclosure attempt"; flow:to_server,established; content:"/agentHandler"; nocase; http_uri; content:"mode=getTableData"; fast_pattern:only; http_uri; content:"table="; nocase; http_uri; metadata:service http; reference:cve,2014-6038; classtype:attempted-recon; sid:32603; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt"; flow:to_server,established; content:"/hostdetails"; fast_pattern:only; http_uri; content:"slid="; nocase; http_uri; content:"hostid="; nocase; http_uri; metadata:service http; reference:cve,2014-6039; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:attempted-recon; sid:32602; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"e882245238cff6150a1a67b1cc336f4f"; fast_pattern:only; content:"e882245238cff6150a1a67b1cc336f4f"; nocase; http_cookie; metadata:service http; reference:bugtraq,71297; reference:cve,2014-8424; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32741; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"1b3231655cebb7a1f783eddf27d254ca"; fast_pattern:only; content:"1b3231655cebb7a1f783eddf27d254ca"; nocase; http_cookie; metadata:service http; reference:bugtraq,71297; reference:cve,2014-8424; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32740; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"POLICY-OTHER HP Network Node Manager ovopi.dll command 685 insecure pointer dereference attempt"; flow:stateless; content:"|AD 02 00 00|"; depth:4; isdataat:2556,relative; reference:cve,2014-2624; reference:url,h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04378450-2; classtype:policy-violation; sid:32729; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER base64 encoded executable file download"; flow:to_client,established; file_data; content:"TV"; depth:2; content:"A//8AALgAAAAAAAAAQAA"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b9cf049a38d52f79e2a9c2d84b9bbc5ad39263a8b663cceda5cae12a3bdb65b8/analysis/; classtype:policy-violation; sid:32951; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER PirateBrowser User-Agent detected"; flow:to_server, established; content:"User-Agent: PB"; fast_pattern:only; http_header; pcre:"/User-Agent: PB\d\.\d/iH"; metadata:service http; reference:url,piratebrowser.com; classtype:policy-violation; sid:32907; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt"; flow:to_server,established; content:"/DCPluginServelet"; fast_pattern:only; http_uri; content:"action=addPlugInUser"; nocase; http_uri; content:"role=DCAdmin"; nocase; http_uri; content:"password="; nocase; http_uri; metadata:service http; reference:bugtraq,71849; reference:cve,2014-7862; classtype:policy-violation; sid:32967; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 48080 (msg:"POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt"; flow:to_server,established; content:"GET /fsm/userlogin.jsp"; depth:22; nocase; metadata:service http; reference:cve,2015-2284; classtype:policy-violation; sid:33875; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Evercookie persistent cookie storage attempt"; flow:to_server,established; file_data; content:"this.evercookie_etag"; content:"function("; within:15; content:"name"; within:8; content:"value"; within:9; metadata:service smtp; reference:url,github.com/samyk/evercookie/blob/master/js/evercookie.js; classtype:policy-violation; sid:33964; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Evercookie persistent cookie storage attempt"; flow:to_client,established; file_data; content:"this.evercookie_etag"; content:"function("; within:15; content:"name"; within:8; content:"value"; within:9; metadata:service ftp-data, service http, service imap, service pop3; reference:url,github.com/samyk/evercookie/blob/master/js/evercookie.js; classtype:policy-violation; sid:33963; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt"; flow:to_server,established; content:"/DCOperationsServlet"; fast_pattern:only; http_uri; content:"operation=addOrModifyUser"; nocase; http_uri; content:"roleId=DCAdmin"; nocase; http_uri; content:"password="; nocase; http_uri; metadata:service http; reference:cve,2015-2560; classtype:policy-violation; sid:33986; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt"; flow:to_server,established; content:"/DCOperationsServlet"; fast_pattern:only; http_uri; content:"operation=addOrModifyUser"; nocase; http_client_body; content:"roleId=DCAdmin"; nocase; http_client_body; content:"password="; nocase; http_client_body; metadata:service http; reference:cve,2015-2560; classtype:policy-violation; sid:34024; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"POLICY-OTHER Red Hat OpenStack default password login attempt"; flow:to_server,established; content:"hacluster"; fast_pattern:only; content:"CHANGEME"; metadata:service http; reference:cve,2015-1842; reference:url,attack.mitre.org/techniques/T1078; reference:url,rhn.redhat.com/errata/RHSA-2015-0791.html; classtype:attempted-admin; sid:34345; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network web console access attempt"; flow:to_server,established; content:"/coregui/org.rhq.coregui.CoreGUI/"; fast_pattern:only; metadata:service http; reference:url,access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Users_Guide/index.html; classtype:policy-violation; sid:34342; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network ServerInvokerServlet access attempt"; flow:to_server,established; content:"GET /jboss-remoting-servlet-invoker/ServerInvokerServlet"; fast_pattern:only; metadata:service http; reference:cve,2015-0297; reference:url,rhn.redhat.com/errata/RHSA-2015-0862.html; classtype:policy-violation; sid:34341; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network ServerInvokerServlet access attempt"; flow:to_server,established; content:"POST /jboss-remoting-servlet-invoker/ServerInvokerServlet"; fast_pattern:only; metadata:service http; reference:cve,2015-0297; reference:url,rhn.redhat.com/errata/RHSA-2015-0862.html; classtype:policy-violation; sid:34340; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt"; flow:to_server,established; content:"SITE"; depth:4; nocase; content:"CPFR"; within:4; distance:1; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,74238; reference:cve,2015-3306; classtype:policy-violation; sid:34447; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER PHP tag injection in http header attempt"; flow:to_server,established; content:"<?php"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-1081; classtype:web-application-attack; sid:27027; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1098 (msg:"POLICY-OTHER RedHat JBOSS JNDI service naming"; flow:established,to_server; content:"javax.naming"; content:"org.jnp.interfaces.FastNamingProperties"; fast_pattern:only; metadata:policy max-detect-ips drop, service java_rmi; reference:bugtraq,54644; reference:cve,2011-4605; classtype:policy-violation; sid:25317; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt"; flow:to_server,established; content:"|3C|IDSP|3A|RunScript|3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:24987; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER PHP uri tag injection attempt"; flow:to_server,established; content:"<?php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0297; reference:cve,2012-2957; classtype:web-application-attack; sid:23111; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8090] (msg:"POLICY-OTHER Cisco network registrar default credentials authentication attempt"; flow:to_server,established; content:"/login.js"; nocase; http_uri; content:"name=admin"; nocase; http_uri; content:"pass"; nocase; http_uri; content:"changeme"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2024; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/bid/48076; classtype:default-login-attempt; sid:20692; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HP Universal CMDB server axis2 service upload attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/axis2/axis2-admin/upload"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19158; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:18985; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"POLICY-OTHER CA BightStor ARCserver Backup possible insecure method access"; flow:established, to_server; dce_iface:506b1890-14c8-11d1-bbc3-00805fa6962e; dce_opnum:383-396; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-5328; reference:url,secunia.com/advisories/27192/; classtype:attempted-user; sid:17577; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER file URI scheme attempt"; flow:established,to_client; file_data; content:"file|3A 2F 2F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3230; reference:url,tools.ietf.org/html/rfc1630; reference:url,tools.ietf.org/html/rfc1738; classtype:policy-violation; sid:16642; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9001:9030 (msg:"POLICY-OTHER TOR proxy connection initiation"; flow:to_server,established; content:"TOR"; content:"client <identity>"; metadata:policy max-detect-ips drop; classtype:policy-violation; sid:13696; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"POLICY-OTHER VERITAS NetBackup system - execution function call access"; flow:established,to_server; content:"|00 18 00 1B 00 02|"; depth:18; metadata:policy max-detect-ips drop; reference:bugtraq,21565; reference:cve,2006-4902; reference:cve,2006-6822; classtype:misc-activity; sid:10130; rev:9;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 packets encapsulated in IPv4"; ip_proto:41; metadata:policy max-detect-ips drop; reference:bugtraq,29235; reference:cve,2008-2136; classtype:policy-violation; sid:8446; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER web server file upload attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; content:"filename"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www.faqs.org/rfcs/rfc1867.html; classtype:misc-activity; sid:5708; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt"; flow:to_server,established; content:"/zenworks/rtr"; nocase; http_uri; content:"maintenance=ShowLogins"; fast_pattern:only; metadata:service http; reference:bugtraq,74289; reference:cve,2015-0784; classtype:policy-violation; sid:34584; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope unspecified privilege escalation attempt"; flow:to_server,established; content:"/SiteScope/remoteProxy?"; http_uri; content:"File name|74 00 0C|users.config"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2120; reference:url,h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04688784 ; classtype:policy-violation; sid:34823; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt"; flow:to_server,established; content:"POST /services/EdgeServiceImpl"; depth:30; nocase; content:"getBackupPolic"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,74838; reference:cve,2015-4069; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:policy-violation; sid:34944; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"POLICY-OTHER Apple Cups cupsd.conf change attempt"; flow:to_server,established; content:"PUT"; http_method; urilen:22; content:"/admin/conf/cupsd.conf"; fast_pattern:only; http_uri; metadata:service http; classtype:policy-violation; sid:35042; rev:1;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt"; itype:135; icode:>0; detection_filter:track by_dst, count 4000, seconds 1; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:35098; rev:1;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt"; itype:135; icode:>0; content:"XXXXXX"; fast_pattern:only; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:35097; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_server,established; file_data; content:".getElementById"; nocase; content:".width"; within:100; nocase; content:".height"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Ewidth.*?(?P=element)\x2Eheight/si"; metadata:service smtp; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35195; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_server,established; file_data; content:".getElementById"; nocase; content:".height"; within:100; nocase; content:".width"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Eheight.*?(?P=element)\x2Ewidth/si"; metadata:service smtp; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35194; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_client,established; file_data; content:".getElementById"; nocase; content:".width"; within:100; nocase; content:".height"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Ewidth.*?(?P=element)\x2Eheight/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35193; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_client,established; file_data; content:".getElementById"; nocase; content:".height"; within:100; nocase; content:".width"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Eheight.*?(?P=element)\x2Ewidth/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35192; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"src="; within:30; isdataat:50,relative; isdataat:!100,relative; content:!"|2E|js"; within:50; metadata:service smtp; reference:cve,2015-1729; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:policy-violation; sid:35181; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"src="; within:30; isdataat:50,relative; isdataat:!100,relative; content:!"|2E|js"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1729; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:policy-violation; sid:35180; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer IE6 compatibility mode attempt"; flow:to_server,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; metadata:service smtp; reference:url,msdn.microsoft.com/en-us/library/ms533876%28v=vs.85%29.aspx; classtype:policy-violation; sid:35148; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer IE6 compatibility mode attempt"; flow:to_client,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/ms533876%28v=vs.85%29.aspx; classtype:policy-violation; sid:35147; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft cabinet file default sha1 signature detected"; flow:to_server,established; flowbits:isset,file.cab; file_data; content:"|06 09 2A 86 48 86 F7 0D 01 01 05 05 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2466; reference:url,attack.mitre.org/techniques/T1078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:misc-attack; sid:35528; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft cabinet file default sha1 signature detected"; flow:to_client,established; flowbits:isset,file.cab; file_data; content:"|06 09 2A 86 48 86 F7 0D 01 01 05 05 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2466; reference:url,attack.mitre.org/techniques/T1078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:misc-attack; sid:35527; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 14 00 00 08 AB|"; within:12; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:policy-violation; sid:35539; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 14 00 00 08 0C|"; within:12; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:policy-violation; sid:35538; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER OCSP response with no nextUpdate field"; flow:to_client,established; content:"content-type|3A| application/ocsp-response"; fast_pattern:only; http_header; file_data; content:"|80 00 18 0F|"; isdataat:500,relative; content:!"|A0 11 18 0F|"; within:500; metadata:service http; reference:cve,2015-4748; reference:url,www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html; classtype:policy-violation; sid:35598; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; nocase; http_uri; content:"ActionType=ResetPassword"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2015-1486; classtype:policy-violation; sid:35670; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 51000 (msg:"POLICY-OTHER EMC Documentum Content Server remote access attempt"; flow:to_server,established; content:"|0A|QUERY STRING"; fast_pattern:only; reference:cve,2014-2514; reference:cve,2015-4532; reference:url,www.emc.com/enterprise-content-management/index.htm; classtype:policy-violation; sid:35849; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt"; flow:stateless,no_stream; content:"|13|BitTorrent protocol"; fast_pattern:only; detection_filter:track by_dst, count 70, seconds 5; reference:url,usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent; classtype:attempted-dos; sid:36194; rev:2;)
|
|
alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"POLICY-OTHER Cisco router Security Device Manager default banner"; flow:to_client,established; content:"the one-time use of the username |22|cisco|22| with the |0A|password |22|cisco|22|."; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.cisco.com/c/en/us/td/docs/routers/access/iad880/hardware/installation/guide/IAD880HIG/4InitialConfigIAD880.pdf; classtype:policy-violation; sid:36282; rev:3;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-OTHER dnstunnel v0.5 outbound traffic detected"; flow:to_server,no_stream; content:"|01 00|"; depth:2; offset:2; byte_test:1,>,20,12; content:"|00 19 00 01|"; offset:34; detection_filter:track by_src, count 10, seconds 1; metadata:service dns; reference:url,www.hsc.fr/ressources/outils/dns2tcp/index.html.en; classtype:policy-violation; sid:36379; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"text/vbs"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service smtp; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36422; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"text/vbs"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36421; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"language"; within:30; content:"vbscript"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service smtp; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36420; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"language"; within:30; content:"vbscript"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36419; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"|00|c|00|i|00|s|00|c|00|o"; within:60; content:"ooh323"; distance:0; fast_pattern; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_1.pdf; classtype:trojan-activity; sid:36541; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt"; flow:to_server,established; content:"/lua/forcepasswd.do"; fast_pattern:only; http_uri; content:"newPassword"; nocase; http_client_body; metadata:service http; reference:bugtraq,66399; reference:cve,2014-1644; classtype:policy-violation; sid:36784; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER self-signed SSL certificate eDellRoot use attempt"; flow:to_client,established; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|6B C5 7B 95 18 93 AA 97 4B 62 4A C0 88 FC 3B B6|"; fast_pattern:only; content:"|09|eDellRoot"; metadata:service ssl; classtype:policy-violation; sid:36887; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 05|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37026; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 04|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37025; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt"; flow:to_server,established; content:"/event/runQuery.do"; fast_pattern:only; http_uri; content:"execute=true"; nocase; content:"query="; nocase; metadata:service http; reference:bugtraq,76866; reference:cve,2015-7387; classtype:policy-violation; sid:36915; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53413 (msg:"POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt"; flow:to_server; content:"netcore"; depth:7; offset:8; reference:url,nearsecurity.net/love-china-netisbackdoor-exploitation/; classtype:attempted-admin; sid:37545; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable pop3.stat flowbit"; flow:to_client,established; content:"237<pop3.stat>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,pop3.stat; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37683; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit"; flow:to_client,established; content:"237<smb.session.negotiate>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,smb.session.negotiate; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37682; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit"; flow:to_client,established; content:"237<vnetd.bpspsserver.connection>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,vnetd.bpspsserver.connection; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37681; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download attempt"; flow:to_client,established; file_data; content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable imap.cram_md5 flowbit"; flow:to_client,established; content:"237<imap.cram_md5>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,imap.cram_md5; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37845; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3"; within:80; content:"ooh323"; distance:6; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4; content:"MERA RTU"; within:100; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:1;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable vnc.server.auth.types flowbit"; flow:to_client,established; content:"237<vnc.server.auth.types>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,vnc.server.auth.types; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37813; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|prototype"; fast_pattern:only; content:"|07|valueOf"; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38059; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|getDefinitionByName"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38058; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing parseFloat function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|parseFloat"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38057; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing domainMemory function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|domainMemory"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38056; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing defaultValue function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|defaultValue"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38055; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|prototype"; fast_pattern:only; content:"|07|valueOf"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38054; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|getDefinitionByName"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38053; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing parseFloat function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|parseFloat"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38052; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing domainMemory function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|domainMemory"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38051; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing defaultValue function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|defaultValue"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38050; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing U3D object download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; fast_pattern; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38048; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing mluc tag object download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38047; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_server, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38046; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_server, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38045; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing AcroForm key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1092; classtype:policy-violation; sid:38044; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing Action key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Action"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38043; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing Launch key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Launch"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38042; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing U3D object download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38041; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing mluc tag object download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38040; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_client, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38039; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_client, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38038; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing AcroForm key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; classtype:policy-violation; sid:38037; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing Action key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Action"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38036; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing Launch key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Launch"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38035; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6E|allowLoadBytesCodeExecution"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38034; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected "; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6E|allowLoadBytesCodeExecution"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38033; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1A|atomicCompareAndSwapLength"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38032; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing loadBytes function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|loadBytes"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38031; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|11|ExternalInterface"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38030; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1A|atomicCompareAndSwapLength"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38029; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing loadBytes function"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|loadBytes"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38028; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|11|ExternalInterface"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38027; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 16|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37916; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 11|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37915; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 0C|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37914; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 07|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37913; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 02|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37912; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9855 (msg:"POLICY-OTHER Symantec Workspace Streaming insecure java serialized data upload attempt"; flow:to_server,established; content:"xmlrpc"; nocase; content:"ManagementAgentServer.putFile"; fast_pattern:only; content:"<methodName"; nocase; content:"serializable"; nocase; content:"rO0A"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67189; reference:cve,2014-1649; classtype:policy-violation; sid:37880; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"POLICY-OTHER SSLv2 Client Hello attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv2; content:"|01 00 02|"; depth:3; offset:2; metadata:service ssl; reference:cve,2015-3197; reference:cve,2016-0800; classtype:policy-violation; sid:38060; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HTTP Request missing user-agent"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent:"; nocase; http_header; content:"|0D 0A|"; within:3; http_header; metadata:service http; reference:url,ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:38130; rev:1;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|om|00|"; distance:0; nocase; pcre:"/(?:netflix|yahoo|htc|huffingtonpost|nbc|bankofamerica|youtube|reddit|linkedin|facebook|live|google|baidu|gmail|xbox|adidas|hilton|ctrip|dangdang|directv|douban|drugstore|dubizzle|eastmoney|enterprise|etao|fiverr|one|qq|qv|si|sogou|tuniu|usaa|weather|weibo|y8|yatra)c?\x02om\x00/si"; metadata:service dns; reference:url,blogs.splunk.com/2016/04/01/hunting-that-evil-typosquatter/; reference:url,www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting; classtype:policy-violation; sid:38457; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing XDP structure download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<xdp:xdp"; fast_pattern:only; metadata:service smtp; reference:cve,2016-1092; classtype:policy-violation; sid:38823; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing XDP structure download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<xdp:xdp"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; classtype:policy-violation; sid:38822; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cbmui/ImageUploadServlet"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,60484; reference:cve,2013-3520; reference:url,www.vmware.com/security/advisories/VMSA-2013-0008.html; classtype:policy-violation; sid:38964; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected"; flow:to_server,established; file_data; content:"g_ele_ref_parent"; nocase; content:"g_ele_ref_parent"; within:300; nocase; content:"g_ele_ref_son"; nocase; content:"g_ele_ref_son"; within:300; nocase; metadata:service smtp; reference:url,www.chromium.org/Home/chromium-security/bugs/using-clusterfuzz; classtype:policy-violation; sid:39502; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected"; flow:to_client,established; file_data; content:"g_ele_ref_parent"; nocase; content:"g_ele_ref_parent"; within:300; nocase; content:"g_ele_ref_son"; nocase; content:"g_ele_ref_son"; within:300; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.chromium.org/Home/chromium-security/bugs/using-clusterfuzz; classtype:policy-violation; sid:39501; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER AutoItv3 Aut2Exe interpreter - compiled script"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D|"; fast_pattern:only; content:"AU3!EA0"; metadata:service smtp; reference:url,autoitscript.com/autoit3/docs/intro/compiler.htm; reference:url,blog.didierstevens.com/2007/10/02/autoit-malware-revisited/; classtype:policy-violation; sid:40029; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER AutoItv3 Aut2Exe interpreter - compiled script"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D|"; fast_pattern:only; content:"AU3!EA0"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,autoitscript.com/autoit3/docs/intro/compiler.htm; reference:url,blog.didierstevens.com/2007/10/02/autoit-malware-revisited/; classtype:policy-violation; sid:40028; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"POLICY-OTHER SSH weak blowfish cipher suite use attempt"; flow:to_server,established; content:"|00 00 00 0C|blowfish-cbc|00 00 00 0C|blowfish-cbc"; fast_pattern:only; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40190; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"POLICY-OTHER SSH weak 3DES cipher suite use attempt"; flow:to_server,established; content:"|00 00 00 08|3des-cbc|00 00 00 08|3des-cbc"; fast_pattern:only; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40189; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 1C|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40188; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 8B|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40187; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 0A|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40186; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"ZWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41192; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"FWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41191; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"CWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41190; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER SunRPC Portmap GETPORT request detected"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 03|"; depth:20; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:url,en.wikipedia.org/wiki/Portmap; classtype:policy-violation; sid:41186; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER SunRPC Portmap GETPORT request detected"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 03|"; depth:20; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:url,en.wikipedia.org/wiki/Portmap; classtype:policy-violation; sid:41185; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco Firepower Management Console rule import access detected"; flow:to_server,established; content:"/DetectionPolicy/rules/rulesimport.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-6433; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc; classtype:policy-violation; sid:41389; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco WebEx explicit use of web plugin"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"POLICY-OTHER McAfee Virus Scan Linux outdated version detected"; flow:to_server,established; content:"/0409/nails"; content:"pg=proxy"; distance:0; nocase; content:"&tplt="; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,nation.state.actor/mcafee.html; classtype:policy-violation; sid:41515; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Wordpress Press-This page access detected"; flow:to_server,established; content:"/wp-admin/press-this.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2017-5610; reference:url,openwall.com/lists/oss-security/2017/01/28/5; classtype:policy-violation; sid:41649; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected"; flow:to_server,established; content:"CorePluginsAdmin"; fast_pattern:only; content:"uploadPlugin"; nocase; content:"pluginZip"; nocase; http_client_body; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:service http; reference:url,firefart.at/post/turning_piwik_superuser_creds_into_rce; classtype:policy-violation; sid:41647; rev:1;)
|
|
# alert tcp $HOME_NET 49152:65535 -> $HOME_NET 49152:65535 (msg:"POLICY-OTHER Microsoft Active Directory DSGetNCChanges attempt"; flow:to_server,established; content:"|00|"; depth:1; offset:2; content:"|10 00 00 00|"; within:4; distance:1; content:"|03 00|"; within:2; distance:14; content:"|09 06|"; distance:0; metadata:service dcerpc; reference:url,adsecurity.org/?p=1729; classtype:policy-violation; sid:41701; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER external admin access attempt"; flow:to_server,established; content:"/admin"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-admin; sid:41742; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Word document with large docProps/core.xml file"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"docProps/core.xml"; within:17; distance:42; content:"|11 00|"; within:2; distance:-35; byte_test:4,>,2000,-6,relative, little; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Macro_virus; classtype:policy-violation; sid:41762; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Word document with large docProps/core.xml file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"docProps/core.xml"; within:17; distance:42; content:"|11 00|"; within:2; distance:-35; byte_test:4,>,2000,-6,relative, little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Macro_virus; classtype:policy-violation; sid:41761; rev:1;)
|
|
# alert udp any any -> any any (msg:"POLICY-OTHER Cisco IOS configuration transfer via TFTP detected"; flow:stateless; content:"|00 03|"; depth:2; content:"|21 0A|version "; fast_pattern:only; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41744; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"POLICY-OTHER ElasticSearch cluster health access detected"; flow:to_server,established; content:"GET /_cluster/health"; depth:20; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2015-0969; reference:url,www.kb.cert.org/vuls/id/697316; classtype:policy-violation; sid:41816; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"POLICY-OTHER SSLv3 Client Hello attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3; content:"|16 03 00|"; depth:3; metadata:service ssl; reference:cve,2002-1623; reference:cve,2013-2566; classtype:policy-violation; sid:41807; rev:1;)
|
|
# alert udp any any -> any any (msg:"POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected"; flow:stateless; content:"|00 03|"; depth:2; content:" privilege 15 "; fast_pattern:only; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41796; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected"; flow:stateless; content:"|00 03 00 01|"; depth:4; content:".tar"; within:100; fast_pattern; nocase; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41795; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected"; flow:stateless; content:"|00 03 00 01|"; depth:4; content:".bin"; within:100; fast_pattern; nocase; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41794; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 18|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:41907; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER HTTP redirect to FTP server attempt"; flow:to_client,established; content:"30"; depth:2; http_stat_code; content:"Location|3A|"; nocase; http_header; content:"ftp|3A|//"; within:25; fast_pattern; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,91530; reference:cve,2016-4971; reference:url,lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html; classtype:attempted-user; sid:41906; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41902; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41901; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41900; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"fill"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41899; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41898; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"image"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41897; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"msl:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41894; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"msl:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41893; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"msl:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41892; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"fill"; nocase; content:"msl:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41891; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"msl:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41890; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"image"; nocase; content:"msl:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41889; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Carel PlantVisorPRO insecure SQL query transmission"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"sqlcommand="; metadata:service http; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41915; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9290 (msg:"POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt"; flow:to_server,established; content:"/System/management.asp"; http_uri; content:"Authorization: Basic dXNlcjp1c2Vy"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1078; reference:url,aviosys.com/products.html; classtype:web-application-attack; sid:42068; rev:2;)
|
|
# alert tcp $HOME_NET 9290 -> $EXTERNAL_NET any (msg:"POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure"; flow:to_client,established; file_data; content:"<td><input type=|22|text|22| name=|22|admuser|22| id=|22|admuser|22| size=|22|16|22| maxlength=|22|16|22| value="; content:"<td><input type=|22|password|22| name=|22|admpass|22| id=|22|admpass|22| size=|22|16|22| maxlength=|22|32|22| value="; fast_pattern:only; reference:url,aviosys.com/9258w2.html; classtype:web-application-attack; sid:42067; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-4730; reference:cve,2010-4731; reference:cve,2010-4732; classtype:web-application-attack; sid:42093; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"page=config.html"; http_uri; content:"file=/home/config/pages/2.conf"; distance:0; http_uri; content:"section=PAGE2"; distance:0; http_uri; metadata:service http; reference:cve,2010-4732; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42092; rev:2;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42376; rev:2;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|08 43 1F A6 84 67 40 39 48 76 D3 FE 4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42375; rev:2;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|44 54 CD 3C BA 76 BF 75 53 47 28 94 1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42 95|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42374; rev:2;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42373; rev:2;)
|
|
# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42372; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [445,1433] (msg:"POLICY-OTHER MSSQL CLR permission set to unsafe attempt"; flow:to_server,established; content:"W|00|I|00|T|00|H|00|"; nocase; content:"P|00|E|00|R|00|M|00|I|00|S|00|S|00|I|00|O|00|N|00|_|00|S|00|E|00|T"; within:100; nocase; content:"U|00|N|00|S|00|A|00|F|00|E"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure; classtype:attempted-admin; sid:42424; rev:2;)
|
|
# alert tcp any [16992,16993,16994,16995,623,664] -> any any (msg:"POLICY-OTHER Intel AMT remote administration tool access attempt"; flow:to_client,established; content:"<title>Intel®|3B| Active Management Technology</title>"; nocase; content:"Log on to Intel®|3B| Active Management Technology on this computer."; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42491; rev:2;)
|
|
# alert tcp any [16992,16993,16994,16995,623,664] -> any any (msg:"POLICY-OTHER Intel AMT remote administration tool access attempt"; flow:to_client,established; content:"HTTP/1"; depth:6; content:"Server: Intel|28|R|29| Active Management Technology"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42490; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER Schneider Electric hardcoded FTP login attempt"; flow:to_server,established; content:"PASS factorycast@schneider"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; classtype:attempted-admin; sid:42787; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check"; flow:to_server,established; content:"/continuum/about.action"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,issues.apache.org/jira/browse/continuum; classtype:misc-activity; sid:43785; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-645 router external authentication attempt"; flow:to_server,established; content:"/authentication.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-7389; classtype:policy-violation; sid:43784; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB dropDatabase attempt"; flow:to_server,established; content:"|D4 07 00 00|"; depth:4; offset:12; content:"|2E|"; distance:5; content:"|00|"; distance:1; content:"dropDatabase"; distance:12; reference:url,www.mongodb.com/; classtype:policy-violation; sid:43409; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB query attempt"; flow:to_server,established; content:"|D4 07 00 00|"; depth:4; offset:12; reference:url,www.mongodb.com/; classtype:attempted-user; sid:43408; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB insert document attempt"; flow:to_server,established; content:"|D2 07 00 00|"; depth:4; offset:12; reference:url,www.mongodb.com/; classtype:attempted-user; sid:43407; rev:1;)
|
|
# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER TOR Project domain request"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|torproject"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:43350; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Browser iframe local file load attempt"; flow:to_server,established; file_data; content:"iframe"; content:"file://"; within:75; content:":|5C|"; within:25; content:"/iframe"; distance:0; metadata:service smtp; reference:cve,2017-8529; classtype:attempted-recon; sid:43162; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Browser iframe local file load attempt"; flow:to_client,established; file_data; content:"iframe"; content:"file://"; within:75; content:":|5C|"; within:25; content:"/iframe"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-8529; classtype:attempted-recon; sid:43161; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt"; flow:to_server,established; content:"|62 FF FF FF|"; depth:4; content:"|1C|Find|20|Node|00|ASP"; within:14; distance:16; nocase; reference:cve,2012-3792; classtype:misc-activity; sid:43146; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt"; flow:to_server; content:"|62 FF FF FF|"; depth:4; content:"|1C|Find|20|Node|00|ASP"; within:14; distance:16; nocase; reference:cve,2012-3792; classtype:misc-activity; sid:43145; rev:1;)
|
|
# alert udp $EXTERNAL_NET 8003 -> $HOME_NET 8001 (msg:"POLICY-OTHER Beck IPC network configuration overwrite attempt"; flow:to_server; content:"|3A|"; depth:1; offset:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|20|"; within:1; distance:2; content:"|20|"; distance:0; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; pcre:"/^[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\s.*?\s.*?\s.*?\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i"; reference:url,attack.mitre.org/techniques/T1077; reference:url,beck-ipc.com/; classtype:misc-activity; sid:43128; rev:2;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 8003 (msg:"POLICY-OTHER Beck IPC network configuration enumeration attempt"; flow:to_server; content:"|20|"; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; distance:0; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; pcre:"/^(.*?\s){2}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(.*?\s){7}[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}/i"; reference:url,attack.mitre.org/techniques/T1077; reference:url,attack.mitre.org/techniques/T1135; reference:url,beck-ipc.com/; classtype:attempted-recon; sid:43127; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Acrobat cloud file undocumented function use"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Collab.shareFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3043; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42968; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Acrobat cloud file undocumented function use"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.shareFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3043; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42967; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"POLICY-OTHER vsFTPd denial of service attempt"; flow:to_client,established; content:"|28|vsFTPd 1.2.1|29|"; fast_pattern:only; metadata:service ftp; reference:cve,2004-2259; classtype:attempted-dos; sid:44324; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8089 (msg:"POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt"; flow:to_server,established; content:"cbms.bacnet.opc.server"; fast_pattern:only; content:"<nsopc:request"; nocase; content:"0A000000"; distance:0; nocase; pcre:"/<nsopc:request[^>]*?>\s*?0A000000/i"; metadata:ruleset limited, service http; classtype:policy-violation; sid:35887; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25922 (msg:"POLICY-OTHER Kaskad SCADA default username and password attempt"; flow:to_server,established; content:"955A8DBA810FC284E04B8E49ACF2AE855D61C136AF01"; fast_pattern:only; metadata:ruleset limited; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:35886; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|NT LM 0."; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44489; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LANMAN2.1"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44488; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LM1.2X002"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44487; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|Windows for Workgroups 3.1a"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44486; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LANMAN1.0"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44485; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|PC NETWORK PROGRAM 1.0"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44484; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC Autostart default domain login attempt"; flow:to_server,established; content:"|31 00 00 00|"; content:"|00 00 00 63 00 00 00 01|"; within:8; distance:8; content:"|31 00 00 00|"; within:4; distance:4; content:"eas550"; within:6; distance:64; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:44623; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"POLICY-OTHER SERVER-WEBAPP Symantec Endpoint Protection Manager authentication lock bypass attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"ActionType=Login"; http_uri; content:"VerifyPasswordOnly=True"; http_uri; content:"Password="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3648; classtype:attempted-admin; sid:44641; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER WPA2 key reuse tool attempt"; flow:to_client,established; file_data; content:"Dot11"; content:"RadioTap"; content:"FCfield"; content:"L2Socket"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-13077; reference:cve,2017-13078; reference:cve,2017-13079; reference:cve,2017-13080; reference:cve,2017-13081; reference:cve,2017-13082; reference:cve,2017-13084; reference:cve,2017-13086; reference:cve,2017-13087; reference:cve,2017-13088; reference:url,papers.mathyvanhoef.com/ccs2017.pdf; classtype:attempted-user; sid:44640; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt"; flow:to_server,established; content:"/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn"; http_uri; content:"userName=Admin"; http_client_body; content:"password=Admin"; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/buildmaster_login.rb; classtype:policy-violation; sid:44702; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD="; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|9A 56 03 D2 8A A9 2D 15 50 6D D3 B4 87 E0 5C C0 9B 63 A7 B1 53 D2 7F 3F 27 4E F9 10 74 9D 1F AC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:44706; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|49 D3 21 71 26 C0 43 1F 8D 7D 00 A5 B2 E4 5A 72 43 FA F5 15 96 71 60 20 4D FD 60 D8 95 CE 6A F7|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:44705; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.zip; content:"|9A 56 03 D2 8A A9 2D 15 50 6D D3 B4 87 E0 5C C0 9B 63 A7 B1 53 D2 7F 3F 27 4E F9 10 74 9D 1F AC|"; fast_pattern:only; metadata:service smtp; classtype:policy-violation; sid:44704; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.zip; content:"|49 D3 21 71 26 C0 43 1F 8D 7D 00 A5 B2 E4 5A 72 43 FA F5 15 96 71 60 20 4D FD 60 D8 95 CE 6A F7|"; fast_pattern:only; metadata:service smtp; classtype:policy-violation; sid:44703; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper getstat request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45166; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper version 2 dump request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45165; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper version 3 dump request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45164; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt"; flow:to_server,established; content:"admin|0D 0A|"; content:"QwestM0dem|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45245; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded root password telnet login attempt"; flow:to_server,established; content:"su|0D 0A|"; content:"zyad5001|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45244; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt"; flow:to_server,established; content:"admin|0D 0A|"; content:"CenturyL1nk|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45243; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change"; flow:to_server,established; content:"/form/formChangeFirewallState"; fast_pattern:only; http_uri; content:"state="; http_client_body; metadata:service http; reference:url,github.com/mcw0/PoC#infinova-rce-authenticated; classtype:web-application-attack; sid:45311; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:".getHashesPerSecond|28|"; nocase; content:".getTotalHashes|28|"; nocase; content:".getAcceptedHashes|28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45268; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner Javascript library download detected"; flow:to_client,established; file_data; content:"Miner.prototype.getHashesPerSecond"; nocase; content:"Miner.prototype.getTotalHashes"; fast_pattern:only; content:"Miner.prototype.isMobile"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45267; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:"new CoinHive.User"; fast_pattern:only; content:".start|28|"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45266; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER cryptomining javascript client detected"; flow:to_client,established; file_data; content:".Anonymous|28|"; nocase; content:".start|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; reference:url,coinimp.com/documentation; classtype:policy-violation; sid:45265; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3333 (msg:"POLICY-OTHER Stratum mining protocol outbound connection attempt"; flow:to_server,established; content:"{|22|method|22|:"; depth:10; fast_pattern; content:"|22|login|22|"; within:300; content:"|22|params|22|"; within:300; content:"{|22|login|22|"; within:300; content:"|22|pass|22|"; within:300; content:"|22|agent|22|"; within:300; reference:url,virustotal.com/file/c3ef8a6eb848c99b8239af46b46376193388c6e5fe55980d00f65818dba0b047/analysis/; classtype:policy-violation; sid:45417; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt"; flow:to_client,established; content:"|02 0C|"; content:"|01 00 00 00 01 00 00 00 20 00 00 00|"; within:12; distance:2; content:"|01 00 00 00 01 00 00 00 01 00 00 00 06 00|"; within:14; distance:36; metadata:policy max-detect-ips drop, service rdp; reference:url,attack.mitre.org/techniques/T1076; classtype:policy-violation; sid:45518; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Possible Cisco IOS upgrade attempt"; content:"CW_IMAGE"; fast_pattern:only; content:"CW_MEDIA"; content:"RAM"; within:20; content:"CW_SYSDESCR"; content:"Cisco"; within:20; metadata:service tftp; classtype:policy-violation; sid:45641; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"POLICY-OTHER Possible Cisco IOS upgrade attempt"; flow:to_server,established; content:"CW_IMAGE"; fast_pattern:only; content:"CW_MEDIA"; content:"RAM"; within:20; content:"CW_SYSDESCR"; content:"Cisco"; within:20; classtype:policy-violation; sid:45640; rev:1;)
|
|
# alert tcp $SIP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"POLICY-OTHER Polycom VoIP config download attempt"; flow:to_client,established; file_data; content:"<APPLICATION APP_FILE_PATH"; fast_pattern:only; content:"CONFIG_FILES="; nocase; content:".cfg"; within:100; nocase; metadata:service http; reference:url,viproy.com/; classtype:attempted-user; sid:45770; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"POLICY-OTHER AutomationDirect Point Of View built-in function WebGetFile usage attempt"; flow:to_server,established; content:"|02|"; depth:1; content:"W|00|e|00|b|00|G|00|e|00|t|00|F|00|i|00|l|00|e|00|(|00|"; distance:0; content:"|03|"; distance:0; reference:url,automationdirect.com; classtype:attempted-user; sid:45759; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"POLICY-OTHER AutomationDirect Point Of View guest login attempt"; flow:to_server,established; content:"|02|"; depth:1; content:"G|00|u|00|e|00|s|00|t|00|"; distance:0; content:"c|00|7|00|2|00|e|00|4|00|9|00|7|00|4|00|2|00|b|00|2|00|0|00|b|00|3|00|6|00|7|00|2|00|4|00|8|00|2|00|f|00|7|00|0|00|c|00|1|00|7|00|f|00|9|00|5|00|9|00|0|00|2|00|"; within:64; distance:2; content:"|03|"; distance:0; reference:url,automationdirect.com; classtype:attempted-user; sid:45758; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device enable remote management attempt"; flow:to_server,established; file_data; content:"/userRpm/ManageControlRpm.htm"; http_uri; content:"ip="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46448; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device reboot attempt"; flow:to_server,established; file_data; content:"/userRpm/SysRebootRpm.htm"; http_uri; content:"Reboot="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46447; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"/login.php"; http_uri; content:"user=SuperATT"; fast_pattern:only; content:"pwd="; pcre:"/pwd=DC(\x21|%21)94(\x40|%40)B3/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:47070; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart js page injection attempt"; flow:to_client,established; file_data; content:"Token"; nocase; content:"angularCdn"; within:100; nocase; content:"AngularPages"; within:500; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47915; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart js page injection attempt"; flow:to_client,established; file_data; content:"Angular"; nocase; content:"load"; within:50; nocase; content:"function()"; within:50; nocase; content:"angularPages"; within:500; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47914; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart redirect page detected"; flow:to_client,established; file_data; content:"algularToken"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47913; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER phpmyadmin external SQL query detected"; flow:to_server,established; content:"/import.php"; fast_pattern:only; http_uri; content:"sql_query"; nocase; http_client_body; pcre:"/sql(\x5f|%5f)query=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; classtype:policy-violation; sid:47830; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7135 (msg:"POLICY-OTHER IntegraXor config change attempt"; flow:to_server,established; content:"{"; depth:1; content:"function_id"; distance:0; content:"parameters"; content:"prj_mSetting"; distance:0; reference:url,integraxor.com; classtype:policy-violation; sid:47455; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER Oracle WebLogic T3 inbound connection detected"; flow:to_server,established; content:"t3"; depth:2; content:"AS|3A|"; content:"HL|3A|"; fast_pattern:only; content:"MS|3A|"; metadata:service http; classtype:policy-violation; sid:47413; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER cryptomining javascript client detected"; flow:to_client,established; file_data; content:".Token|28|"; nocase; content:".start|28|"; within:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; reference:url,coinimp.com/documentation; classtype:policy-violation; sid:47253; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2638 (msg:"POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt"; flow:to_server,established; file_data; content:"|46 C2 72 2F 1E D0 77 3B E8 F7 05 A1 4B 03 32 E9 13 09 7F B9 7B 41 DF EF A0 38 02 9C 94 D3 08 78|"; offset:8; reference:cve,2016-8567; classtype:attempted-user; sid:47146; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Infrasightlabs vScopeServer admin user creation attempt"; flow:to_server,established; content:"/rest/usermanager/users"; fast_pattern:only; http_uri; content:"groupIds="; http_uri; content:"vscope-admins"; distance:0; http_uri; content:"|22|isNew|22|"; http_client_body; content:"true"; within:10; http_client_body; metadata:service http; reference:url,www.infrasightlabs.com; classtype:misc-activity; sid:48160; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER C-More Programming Simulator denial of service attempt"; flow:to_server,established; content:"|01 3C E8 03 06 95 F0 16 AF 1E 0D 06 82 C8 06 95 F0 16 AF 1E 0D 06 82 C8 06 95 F0 16 AF 1E 0D 06 82 C8|"; fast_pattern:only; isdataat:300; reference:url,support.automationdirect.com/products/cmore.html; classtype:attempted-dos; sid:48823; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"POLICY-OTHER Linksys WAP610N command injection attempt"; flow:to_server,established; content:"system "; reference:url,www.exploit-db.com/exploits/16149; classtype:successful-admin; sid:49436; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"admin_password1"; http_client_body; content:"admPass2"; http_client_body; content:"remote_http_management_enable"; fast_pattern:only; http_client_body; metadata:service http; reference:url,support.dlink.com/ProductInfo.aspx?m=DIR-615; classtype:policy-violation; sid:49462; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"admin_password1"; http_uri; content:"admPass2"; http_uri; content:"remote_http_management_enable"; fast_pattern:only; http_uri; metadata:service http; reference:url,support.dlink.com/ProductInfo.aspx?m=DIR-615; classtype:policy-violation; sid:49461; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt"; flow:to_server,established; content:"/GatewaySettings.bin"; http_uri; metadata:service http; classtype:attempted-recon; sid:49506; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt"; flow:to_server,established; content:"swpsmtp_export_settings"; fast_pattern:only; http_client_body; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49543; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt"; flow:to_server,established; content:"swpsmtp_import_settings_file"; fast_pattern:only; http_client_body; content:"filename"; nocase; http_client_body; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49542; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt"; flow:to_server,established; content:"swpsmtp_action=view_log"; fast_pattern:only; http_uri; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49541; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"POLICY-OTHER Sagem Fast Router default credentials login attempt"; flow:to_server,established; content:"Menara"; fast_pattern; content:"Menara"; within:50; metadata:service telnet; classtype:default-login-attempt; sid:49521; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt"; flow:to_server,established; content:"/data/reboot.json"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2018-12694; reference:url,www.tp-link.com; classtype:policy-violation; sid:49860; rev:1;)
|