Permalink
Browse files

Ignore "anonymous" users and threshold 0/5

  • Loading branch information...
Champ Clark III
Champ Clark III committed Nov 8, 2017
1 parent c9346bb commit 97102417281a36f042cf3eba841e67a29cd9451d
Showing with 2 additions and 2 deletions.
  1. +1 −1 citrix-bluedot.rules
  2. +1 −1 citrix-geoip.rules
@@ -32,5 +32,5 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BLUEDOT] Login from
#alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:7;)
@@ -32,5 +32,5 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] Login from ou
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY [0/5]"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; threshold: type limit, track by_src, count 5, seconds 300; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:5;)

0 comments on commit 9710241

Please sign in to comment.