Skip to content

/ sagan-rules

Permalink
Browse files

New / improved sudo rules....

  • Loading branch information
Champ Clark III committed Sep 25, 2018
1 parent 228d4f5 commit 712260c64a7a5d3fc078d268d825ef17655ad9c4
Unified Split
Showing with 16 additions and 4 deletions.
  1. +1 −1 .last_used_sid
  2. +3 −1 sagan-sid-msg.map
  3. +0 −1 sendmail.rules
  4. +12 −1 su.rules
2 .last_used_sid
View file
@@ -1 +1 @@
5003927
5003928
4 sagan-sid-msg.map
View file
@@ -321,7 +321,7 @@
5000354 || [WINDOWS-MISC] WinVNC4 Connection closed || url,wiki.quadrantsec.com/bin/view/Main/5000354
5000355 || [WINDOWS-MISC] WinVNC4 HTTPServer event || url,wiki.quadrantsec.com/bin/view/Main/5000355
5000356 || [WINDOWS-MISC] Crypt32 Failed to extract third-party root list || url,wiki.quadrantsec.com/bin/view/Main/5000356
5000357 || [SENDMAIL] Username with pipe symbol || url,wiki.quadrantsec.com/bin/view/Main/5000357
5000357 || [SENDMAIL] Username with pipe symbol || url,wiki.quadrantsec.com/bin/view/Main/5000357 || url,www.jochentopf.com/email/chars.html
5000359 || [APACHE] Directory traversal attempt - 1 || url,wiki.quadrantsec.com/bin/view/Main/5000359
5000360 || [APACHE] Directory traversal attempt - 2 || url,wiki.quadrantsec.com/bin/view/Main/5000360
5000361 || [APACHE] Robots.txt access || url,wiki.quadrantsec.com/bin/view/Main/5000361
5003923 || [Incapsula] Illegal Resource Access || url,wiki.quadrantsec.com/bin/view/Main/5003923
5003924 || [Incapsula] DDoS || url,wiki.quadrantsec.com/bin/view/Main/5003924
5003925 || [Incapsula] Backdoor Protect || url,wiki.quadrantsec.com/bin/view/Main/5003925
5003927 || [WINDOWS-AUTH] User added to Local Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5003927
5003928 || [SU] Successful sudo to user ROOT executed || url,wiki.quadrantsec.com/bin/view/Main/5003928
1 sendmail.rules
View file
@@ -39,7 +39,6 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sender address doe
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Save mail panic"; content: "savemail panic"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: program-error; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000140; sid: 5000140; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sendmail Spamassassin X-Spam-Score"; content: "X-Spam-Score"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000141; sid: 5000141; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Possible SMTP RCPT flood, throttling"; content: "Possible SMTP RCPT flood, throttling"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000142; sid: 5000142; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Username with pipe symbol"; content: "|7c|"; content: "to=<"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: exploit-attempt; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000357; sid: 5000357; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Username with pipe symbol"; content: "to=<"; content: "|7c|"; pcre: "/to=<[A-Za-z0-9|&'*+-./=?^_{}~]+@/"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: exploit-attempt; program: sm-mta|sendmail; reference: url,www.jochentopf.com/email/chars.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5000357; sid: 5000357; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; parse_src_ip: 1; program: sm-mta|sendmail; content: "/bin/"; content: "sh "; content: "|7c|"; content: "+"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5000881; reference: url,http://www.securityfocus.com/bid/38578; sid: 5000881; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] Possible open proxy"; program: sm-mta|sendmail; content: "probable open proxy:"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic; xbits: set,recon, 86400; reference: url, wiki.quadrantsec.com/bin/view/Main/5001013; sid: 5001013; rev:7;)
13 su.rules
View file
@@ -33,7 +33,18 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root";
drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:6;)

# The will catch "sudo su -" and "sudo -i". It will NOT catch "sudo su - {username}" (for example : "sudo su - oracle")
# Steve Rawl's modications.
# 2018/09/25

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; pcre: "/COMMAND=(?!([A-Za-z0-9_.\/-]+)?su\s-\s[A-Za-z0-9]+)/"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:9;)

# This will catch attempts to "sudo su - root".
# 2018/09/25

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to user ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; content: "su - root"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5003928; sid:5003928; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:4;)

# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015

0 comments on commit 712260c

Please sign in to comment.