Skip to content
Permalink
Browse files

Re-write of many -correlated rules to be stand alone xbits.

  • Loading branch information
Champ Clark III
Champ Clark III committed Nov 22, 2017
1 parent 9af8765 commit 0c8af0541024a0effdd924cf0f42840d060f47d9
@@ -25,14 +25,37 @@
#
#

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after suspicious activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002360; sid:5002360; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after suspicious activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002361; sid:5002361; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA*-6-716001|%ASA*-6-716038; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002362; sid:5002362; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after suspicious activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002363; sid:5002363; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA*-6-734001; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon|honeypot|exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5002364; sid:5002364; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after suspicious activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002365; sid:5002365; rev: 5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity [2]"; program: %ASA*-6-722022|%ASA*-6-722023; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002366; sid:5002366; rev: 5;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity"; program: %ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002367; sid:5002367; rev: 6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity [2]"; program: %ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt; parse_src_ip: 1; parse_dst_ip: 2; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002368; sid:5002368; rev: 7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after recon activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003210; sid:5003210; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after honeypot activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003211; sid:5003211; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after exploit attempt"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003212; sid:5003212; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after brute force activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003232; sid:5003232; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after recon activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003213; sid:5003213; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after honeypot activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003214; sid:5003214; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after exploit attempt"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003215; sid:5003215; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after brute force activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003233; sid:5003233; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after recon activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003216; sid:5003216; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after honey activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003217; sid:5003217; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after exploit attempt"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003218; sid:5003218; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after brute force activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003234; sid:5003234; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after recon activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003219; sid:5003219; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after honeypot activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003220; sid:5003220; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after exploit attempt"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003221; sid:5003221; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after brute force activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003235; sid:5003235; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after recon activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003222; sid:5003222; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after honeypot activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003223; sid:5003223; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after exploit attempt"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003224; sid:5003224; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success brute force activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003236; sid:5003236; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after recon activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003225; sid:5003225; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after honeypot activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003226; sid:5003226; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after exploit attempt"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003227; sid:5003227; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after brute force activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003237; sid:5003237; rev:1;)

@@ -28,6 +28,21 @@

# Login/login attempt after recon/honeypot/exploit_attempt/brute_force (Champ Clark / 09/18/2015)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after suspicious activity"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002357; sid:5002357; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon|honeypot|exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after suspicious activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002359; sid:5002359; rev:6;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after recon activity"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003228; sid:5003228; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after honeypot activity"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003229; sid:5003229; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after exploit attempt"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003230; sid:5003230; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after brute force attempt"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003231; sid:5003231; rev:1;)


#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon|honeypot|exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:6;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after recon activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003238; sid:5003238; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after honeypot activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003239; sid:5003239; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after exploit attempt"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003240; sid:5003240; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after recon activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003241; sid:5003241; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after honeypot activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003242; sid:5003242; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after exploit attempt"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003243; sid:5003243; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after brute force activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003244; sid:5003244; rev:1;)

0 comments on commit 0c8af05

Please sign in to comment.
You can’t perform that action at this time.