Skip to content
Permalink
Browse files

New Windows/LDAP rules... New Cisco ISE detection...

  • Loading branch information
Champ Clark III
Champ Clark III committed May 31, 2018
1 parent 82d0ccd commit a5916e4f43b3ac377a762e6ea38302f889bf7aba
Showing with 9 additions and 1 deletion.
  1. +0 −1 dynamic.rules
  2. +3 −0 sagan-sid-msg.map
  3. +6 −0 windows-auth.rules
@@ -92,6 +92,5 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Wordpress logs det
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] xinetd logs detected via program."; program: xinetd; dynamic_load: $RULE_PATH/xinetd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003018; sid:5003018; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Yubikey logs detected via program."; program: yk_chkpwd; dynamic_load: $RULE_PATH/yubikey.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003019; sid:5003019; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Zeus logs detected via program."; program: zeus; dynamic_load: $RULE_PATH/zeus.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003020; sid:5003020; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Zeus logs detected via program."; program: zeus; dynamic_load: $RULE_PATH/zeus.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003020; sid:5003020; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Cisco ISE detected via program"; program: CISE_Passed_Authentications|CISE_Failed_Attempts|CSCOacs_Failed_Attempts; dynamic_load: $RULE_PATH/cisco-ise.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003785; sid:5003785; rev:1;)

5003782 || [CISCO-ISE-BLUEDOT] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003782
5003783 || [CISCO-ISE-BLACKLIST] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003783
5003784 || [CISCO-ISE-BROINTEL] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003784
5003785 || [DYNAMIC] Cisco ISE detected via program || url,wiki.quadrantsec.com/bin/view/Main/5003785
5003786 || [WINDOWS-AUTH] LDAP authentication error - Account expired. || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003786
5003787 || [WINDOWS-AUTH] LDAP authentication error - Account locked. || url,wiki.quadrantsec.com/bin/view/Main/5003787
6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)
6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)
6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)
@@ -262,3 +262,9 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious ne
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution"; program: *Security*; content: " 4648|3a| "; content:!"Account Name|3a| -"; content:!"Target Server Name|3a| localhost"; pcre: "/Target Server Name: (.*)\$ /"; pcre: "/Process Name: (.*)(net\.exe|wmic\.exe|powershell\.exe)(.*)/i"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003387; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003387; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account expired."; program: *System*; content: " 40960|3a| "; content: "0xc0000193"; reference: url,wiki.quadrantsec.com/bin/view/Main/5003786; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003786; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account locked."; program: *System*; content: " 40960|3a| "; content: "0xc0000234"; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003787; classtype: unsuccessful-user; sid:5003787; rev:1;)


0 comments on commit a5916e4

Please sign in to comment.
You can’t perform that action at this time.