Permalink
Browse files

New bad rabbit, HP switch and normaliation rules.

  • Loading branch information...
Champ Clark III
Champ Clark III committed Nov 7, 2017
1 parent 0e29046 commit 2d5c717d99b105f5d23311c7afd20df98498466d
Showing with 40 additions and 2 deletions.
  1. +1 −1 .last_used_sid
  2. +22 −0 normalization.rulebase
  3. +4 −1 procurve.rules
  4. +5 −0 sagan-sid-msg.map
  5. +8 −0 windows-malware.rules
@@ -1 +1 @@
5003204
5003209
@@ -377,3 +377,25 @@ rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% : User %
rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest%
rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest%
# New normalization rules from Sam Castellango (2017/11/07)
# This is for Microsoft Windows event 4624:
rule=: %-:string-to:Account Name:%Account Name: %-:string-to:Account Name:%Account Name: %Username:word% %-:string-to:Network Address:%Network Address: %Src-IP:ipv4% %-:rest%
# Palo Alto Firewall
# 10.11.11.11|user|info|info|0e|2017-01-11|11:50:31|1,2017/01/28| 13:20:31,1009A101774,SYSTEM,general,0,2017/08/28 13:20:31,,general,,0,0,general,informational,User frank logged in via CLI from \ 10.1.9.3,891392,0x0,0,0,0,0,,XXXXXXXX-1
rule=: %-:string-to:User%User %Username:word% %-:char-to:\\%\ %Src-ip:char-to:\x2c%%-:rest%
# HP switches
# 10.1.11.1|syslog|info|info|2e|2017-01-28|01:19:00|01342| auth: User 'frank' logged in from 10.1.1.1 to SSH session
rule=: %-:string-to:User%User %Username:word% logged in from %Src-IP:ipv4% %-:rest%
# This is for Microsoft Windows event 4769:
rule=: %-:string-to:Account Name:%Account Name: %User:char-to:\x40%%-:string-to:Client Address:%Client Address: ::ffff:%Src-ip:ipv4% %-:rest%
@@ -38,5 +38,8 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Port Se
# The "program" becomes the alert ID. So no "content:" is needed - Champ Clark III 06/25/2012
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] port is off-line"; program: 00077; classtype: hardware-event; sid: 5001124; reference: url,wiki.quadrantsec.com/bin/view/Main/5001124; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password"; program: 00419; classtype: unsuccessful-user; sid: 5001125; reference: url,wiki.quadrantsec.com/bin/view/Main/5001125; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password"; program: 00419; classtype: unsuccessful-user; sid: 5001125; reference: url,wiki.quadrantsec.com/bin/view/Main/5001125; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password - Brute Force [5/1]"; program: 00419; classtype: unsuccessful-user; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; sid:5003205; reference: url,wiki.quadrantsec.com/bin/view/Main/5003205; rev:1;)
@@ -3092,6 +3092,11 @@
5003202 || [WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected || url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/ || url,wiki.quadrantsec.com/bin/view/Main/5003202
5003203 || [WINDOWS-AUTH] SAM Database Unable to Lock Account || url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx || url,wiki.quadrantsec.com/bin/view/Main/5003203
5003204 || [WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected || url,wiki.quadrantsec.com/bin/view/Main/5003204 || url,blog.talosintelligence.com/2017/10/bad-rabbit.html
5003205 || [HP-E-SERIES-L3-SWITCH] Invalid username/password - Brute Force [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5003205
5003206 || [WINDOWS-MALWARE] Bad Rabbit payload delivery SHA256 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003206 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100 || url,bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
5003207 || [WINDOWS-MALWARE] Bad Rabbit payload delivery SHA1 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003207 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
5003208 || [WINDOWS-MALWARE] Bad Rabbit payload delivery MD5 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003208 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
5003209 || [WINDOWS-MALWARE] Bad Rabbit detected by filename || url,wiki.quadrantsec.com/bin/view/Main/5003209 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100
6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)
6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)
6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)
@@ -312,4 +312,12 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky/Crypt
alert any any any -> any any (msg: "[WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected"; content: "scheduled task"; nocase; meta_content: "%sagan%", viserion_,rhaegal,drogon ; meta_nocase; pcre: "/ 602: | 4698: /"; classtype: trojan-activity; program: Security*; reference: url,blog.talosintelligence.com/2017/10/bad-rabbit.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003204; sid:5003204; rev:1;)
# Sam Castellano - More bad Rabbit (2017/11/07)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA256 hash detected "; meta_content: "%sagan%", 8e2d709a262bd3a1ef288a87f737a7be8cdf9973751432bff7bf1956b83a94bc,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93,afeee8b4acff87bc469a6f0364a81ae5d60a2add,de5c8d858e6e41da715dca1c019df0bfb92d32c0,630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da,579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648,0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6; meta_nocase; classtype: trojan-activity; reference: url,bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003206; sid:5003206; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA1 hash detected "; content: 6d8104674ea6206080b050d73f265ea75edbd7d3; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003207; sid:5003207; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery MD5 hash detected "; content: 1d4f2b4d8430941d383f8e49519f6d90; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003208; sid:5003208; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit detected by filename "; pcre: "/ 4663: | 567: | 5145: /"; meta_content: "%sagan%",dispci.exe,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe,cscc.dat,infpub.dat,install_flash_player.exe; meta_nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003209; sid:5003209; rev:1;)

0 comments on commit 2d5c717

Please sign in to comment.