Permalink
Switch branches/tags
Nothing to show
Find file Copy path
5bf0638 May 10, 2017
1 contributor

Users who have contributed to this file

103 lines (77 sloc) 10.7 KB
# Sagan bro-ids.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*****************************************************************************
#
# Note: Your syslog daemon will need to forward Bro logs to your Sagan server. With syslog-ng, you would do
# something like this:
#
# destination sagan_box { udp("10.10.10.10" port(514)); } ;
# source s_bro_notice { file("/var/log/bro/log/current/notice.log" flags(no-parse) program_override("bro")); };
# log { source(s_bro_notice); destination(sagan_box); };
#
# For rsyslog, see: http://www.rsyslog.com/doc/imfile.html
#
# The syslog "program" field will _need_ to be "bro"!
#
#*****************************************************************************
#
# Submitted by Brad Doctor (July 2nd, 2010). For more information see
# http://www.bro-ids.org/
#
# (Legacy Bro rules) - Now disbaled by default
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Successful Password Guessing [0/5]"; content: "SuccessfulPasswordGuessing"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000883; sid: 5000883; threshold: type limit, track by_src, count 5, seconds 120; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Protocol Violation [0/5]"; content: "ProtocolViolation"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000884; sid: 5000884; threshold: type limit, track by_src, count 5, seconds 120; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Login [0/5]"; content: "SensitiveLogin"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-login; reference: url,wiki.quadrantsec.com/bin/view/Main/5000885; sid: 5000885; threshold: type limit, track by_src, count 5, seconds 120; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Connection [0/5]"; content: "SensitiveConnection"; program: parse_src_ip: 1; parse_dst_ip: 2; bro; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000886; sid: 5000886; threshold: type limit, track by_src, count 5, seconds 120; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Username in password [0/5]"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; content: "SensitiveUsernameInPassword"; default_proto: tcp; classtype: successful-admin; url,wiki.quadrantsec.com/bin/view/Main/5000887; sid: 5000887; threshold: type limit, track by_src, count 5, seconds 120; rev:4;)
# Robert Nunley & Champ Clark - 06/10/2014
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 120; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:5;)
# Note: You will need licensing to use the Team Cymru Malware Hash Registry for corporate use. See http://www.team-cymru.org/Services/MHR/
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] TeamCymruMalwareHashRegistry Match"; content: "TeamCymruMalwareHashRegistry|3a 3a|Match"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,www.team-cymru.org/Services/MHR/; classtype: trojan-activity; sid: 5002064; rev:3;)
# Triggers many F/P
#alert any $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] HTTP SQL_Injection_Attacker"; content: "HTTP|3a 3a|SQL_Injection_Attacker"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,wiki.quadrantsec.com/bin/view/Main/5002065; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; sid: 5002065; rev:4;)
#alert any $EXTERNAL_NET any -> $HTTP_PORT any (msg: "[BRO] HTTP SQL_Injection_Victim"; content: "HTTP|3a 3a|SQL_Injection_Victim"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002066; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; sid: 5002066; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; sid: 5002067; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] SSH Watched_Country_Login"; content: "SSH|3a 3a|Watched_Country_Login"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002068; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; sid: 5002068; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5]"; content: "SSL|3a 3a|Invalid_Server_Cert"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002069; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; sid: 5002069; rev:5;)
# Robert Nunley & Champ Clark - 06/11/2014
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5]"; content: "unable to get local issuer certificate"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; sid: 5002070; rev:4;)
# These rules are based on Bro scripts from Liam Randall. They are located at: https://github.com/LiamRandall/BroMalware-Exercise. These will need to be loaded into Bro to trigger!
# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] ZeroAccess ZeroAccess_Client [0/5]"; content: "ZeroAccess|3a 3a|ZeroAccess_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess; sid: 5002071; rev:3;)
# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0
# Bitcoin mining detection
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Bitcoin Miner [0/10]"; content: "Bitcoin|3a 3a|Miner"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 10, seconds 300; default_proto: tcp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002074; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002074; rev:4;)
# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0
# Lurk0 RAT ::Lurk0_Client
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Probable LURK0 RAT C&C Access"; content: "Lurk0|3a 3a|Lurk0_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_prot: tcp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002072; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002072; rev:3;)
# Sidejacking
# Added in the main Bro repo. See http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/ for more details.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sidejacking attach detected"; content: "Sidejacking"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002073; reference: url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro; sid: 5002073; rev:3;)
# This rule detect internal (rfc1918) systems port scanning, but ignores everything else!
# Example log:
#1459283371.705967 - - - - - - - - - Scan::Port_Scan 10.1.0.34 scanned at least 15 unique ports of host 10.1.0.4 in 0m2s local 10.1.0.34 10.1.0.4 - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] RFC1918 address scanning the network"; content: "Scan|3a 3a|Port_Scan"; pcre:"/((192)\.(168)\.(\d+)\.(\d+)|(10)\.(\d+)\.(\d+)\.(\d+)|(172)\.(1[6,7,8,9])\.(\d+)\.(\d+)|(172)\.(2[0,1,2,3,4,5,6,7,8,9])\.(\d+)\.(\d+)|(172)\.(3[0,1])\.(\d+)\.(\d+)) scanned at least \d+ unique ports/smi"; program: bro; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,recon,86400; classtype: attempted-recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5002798; sid:5002798; rev:4;)