Permalink
Browse files

Better description on OWA correlated rules.

  • Loading branch information...
Champ Clark III
Champ Clark III committed Sep 26, 2018
1 parent c57c0a1 commit 53e313525fc98f451a4a25f4e2664e656216f877
Showing with 4 additions and 4 deletions.
  1. +4 −4 windows-owa-correlated.rules
@@ -24,8 +24,8 @@
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after recon activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; fwsam: src, 1 day; parse_src_ip: 2 reference: url,wiki.quadrantsec.com/bin/view/Main/5003336; sid:5003337; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after honeypot activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; fwsam: src, 1 day; parse_src_ip: 2;reference: url,wiki.quadrantsec.com/bin/view/Main/5003338; sid:5003338; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after exploit attempt"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; parse_src_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003339; sid:5003339; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after brute force activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; fwsam: src, 1 day; parse_src_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003340; sid:5003340; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login after recon activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; fwsam: src, 1 day; parse_src_ip: 2 reference: url,wiki.quadrantsec.com/bin/view/Main/5003336; sid:5003337; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login after honeypot activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; fwsam: src, 1 day; parse_src_ip: 2;reference: url,wiki.quadrantsec.com/bin/view/Main/5003338; sid:5003338; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login after exploit attempt"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; parse_src_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003339; sid:5003339; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login after brute force activity"; content: "/ews/exchange.asmx"; nocase; meta_content:!" %sagan ",127.0.0.1,::1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; fwsam: src, 1 day; parse_src_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003340; sid:5003340; rev:5;)

0 comments on commit 53e3135

Please sign in to comment.