# 10.11.11.11|daemon|warning|warning|1c|2015-11-28|16:31:49|xxx_RTS_FIPEMV2| 8: 2015/11/28 16:31:49.423 C-400008 FIPAYPIN FIPEMV2 : Call Remote: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.11.11.11:26008
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Invalid credit card detected"; content: "S-300000"; content: "Swpe: Response"; meta_content:!"track2=%sagan%", $CREDIT_CARD_PREFIXES; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002766; sid:5002766; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Invalid credit card detected"; content: "S-300000"; content: "Swpe: Response"; meta_content:!"track2=%sagan%", $CREDIT_CARD_PREFIXES; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002766; sid:5002766; rev:4;)
# 10.11.11.11|daemon|warning|warning|1c|2015-11-27|10:46:42|xxx_RTS_FIPAYPIN| 0: 2015/11/27 10:46:41.999 S-300000 FIPAYPIN FIPAYPIN : Bad/No Pin Block and KSN returned - Check to ensure your pinpad had DUKPT keys loaded.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Bad/No Pin Block and KSN returned"; content: "S-300000"; content: "Bad/No Pin Block and KSN returned"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002767; sid:5002767; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Bad/No Pin Block and KSN returned"; content: "S-300000"; content: "Bad/No Pin Block and KSN returned"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002767; sid:5002767; rev:3;)
# 10.11.11.11|daemon|warning|warning|1c|2015-11-15|15:38:02|xxx_RTS_FIPAYPIN| 0: 2015/11/15 15:38:02.220 S-300000 FIPAYPIN FIPAYPIN : Blocked the response to POS.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Blocked the response to POS"; content: "S-300000"; content: "Blocked the response to POS"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002768; sid:5002768; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Blocked the response to POS"; content: "S-300000"; content: "Blocked the response to POS"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002768; sid:5002768; rev:3;)
# 10.30.1.131|daemon|warning|warning|1c|2015-11-19|11:33:13|xxx_RTS_FIPAYPIN| 0: 2015/11/19 11:33:13.015 S-300000 FIPAYPIN FIPAYPIN : Failed to open pinpad COM9.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Failed to open pinpad [0/2]"; content: "S-300000"; content: "Failed to open pinpad"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002769; sid:5002769; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Failed to open pinpad [0/2]"; content: "S-300000"; content: "Failed to open pinpad"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002769; sid:5002769; rev:3;)
# 10.11.11.11|daemon|warning|warning|1c|2015-11-04|13:57:27|xxx_RTS_FIPAYPIN| 0: 2015/11/04 13:57:27.037 S-300000 FIPAYPIN FIPAYPIN : Replace macro [RTS1_IP] with value '10.11.11.11'
# See sagan.conf for RFC1918 var.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Replace macro from outside RFC1918"; content: "S-300000"; content: "RTS1_IP"; meta_content:!"value ''%sagan%", $RFC1918; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002770; sid:5002770; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Replace macro from outside RFC1918"; content: "S-300000"; content: "RTS1_IP"; meta_content:!"value ''%sagan%", $RFC1918; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002770; sid:5002770; rev:3;)
5002767 || [FIPAYPIN] Bad/No Pin Block and KSN returned || url,wiki.quadrantsec.com/bin/view/Main/5002767
5002768 || [FIPAYPIN] Blocked the response to POS || url,wiki.quadrantsec.com/bin/view/Main/5002768
5002769 || [FIPAYPIN] Failed to open pinpad [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5002769
5002770 || [FIPAYPIN] Replace macro from outside RFC1918 || url,wiki.quadrantsec.com/bin/view/Main/5002770
5002771 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - system || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755
5002772 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - username || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755
5002773 || [ScreenOS-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country || url, wiki.quadrantsec.com/bin/view/Main/5002773 || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search
@@ -2642,23 +2642,23 @@
5002796 || [Barracuda] System Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5002796
5002797 || [Trendmicro] Virus Found Unable to Quarantine || url,wiki.quadrantsec.com/bin/view/Main/5002797
5002798 || [BRO] RFC1918 address scanning the network || url,wiki.quadrantsec.com/bin/view/Main/5002798
5002815 || [WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name || url,wiki.quadrantsec.com/bin/view/Main/5002815
5002816 || [WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model || url,wiki.quadrantsec.com/bin/view/Main/5002816
5002817 || [WINDOWS-MISC] Installation of service via SCM || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002817
5002818 || [WINDOWS-MISC] Installation of new service via Security Audit || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002818
5003378 || [WINDOWS-SYSMON] IP detect in command line || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003378 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html
5003379 || [WINDOWS-SYSMON] Command line $\\ type request || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan sid:5003379 || url,wiki.quadrantsec.com/bin/view/Main/5003379 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html
5003379 || [WINDOWS-SYSMON] Command line $\\ type request || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003379 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html