Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Ignore "anonymous" users and threshold 0/5
- Loading branch information
Showing
with
2 additions
and
2 deletions.
-
+1
−1
citrix-bluedot.rules
-
+1
−1
citrix-geoip.rules
|
@@ -32,5 +32,5 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BLUEDOT] Login from |
|
|
|
|
|
#alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:6;) |
|
|
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:6;) |
|
|
alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:7;) |
|
|
|
|
@@ -32,5 +32,5 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] Login from ou |
|
|
|
|
|
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:3;) |
|
|
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:4;) |
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY [0/5]"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; threshold: type limit, track by_src, count 5, seconds 300; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:5;) |
|
|
|