@@ -33,7 +33,18 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root";
drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:6;)
# The will catch "sudo su -" and "sudo -i". It will NOT catch "sudo su - {username}" (for example : "sudo su - oracle")
# Steve Rawl's modications.
# 2018/09/25
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; pcre: "/COMMAND=(?!([A-Za-z0-9_.\/-]+)?su\s-\s[A-Za-z0-9]+)/"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:9;)
# This will catch attempts to "sudo su - root".
# 2018/09/25
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to user ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; content: "su - root"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5003928; sid:5003928; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:4;)
# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015