Permalink
Browse files

New passwordstate.rules!

  • Loading branch information...
Champ Clark III
Champ Clark III committed Jan 25, 2018
1 parent 0c8af05 commit a84b30bd279808b5730b687ae3b16e9f7b85c677
Showing with 136 additions and 1 deletion.
  1. +1 −1 .last_used_sid
  2. +101 −0 passwordstate.rules
  3. +34 −0 sagan-sid-msg.map
@@ -1 +1 @@
5003209
5003375
@@ -0,0 +1,101 @@
# Sagan passwordstate.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# Rule's for "PasswordState" from www.clickstudios.com.au. PasswordState is an enterprise password manager. These
# rules where created by Jeff Ward (jward@quadrantsec.com)
#
# 2018/01/25
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Access was Granted"; content:"Passwordstate:"; content:"Access"; content:"granted"; parse_src_ip: 1; content: "Passwordstate:"; classtype: not-suspicious; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003342; sid:5003342; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Access has been Removed"; content:"Passwordstate:"; content:"removed access"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003343; sid:5003343; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] All Passwords Exported"; content:"Passwordstate:"; content:"exported all"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003344; sid:5003344; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Audit Records Purged"; content:"Passwordstate:"; content:"purged"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003345; sid:5003345; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Task Deleted"; content:"Passwordstate:"; content:"Password Reset"; content:"deleted"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003346; sid:5003346; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Updated"; content:"Discovery Job"; content:"Passwordstate:"; content:"updated"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003347; sid:5003347; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Permissions Added"; content:"Passwordstate:"; content:"Discovery Job"; content:"permission"; parse_src_ip: 1; classtype: misc-activity; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003348; sid:5003348; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Removed"; content:"Passwordstate:"; content:"Discovery Job"; content:"removed"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003349; sid:5003349; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Deleted"; content:"Discovery Job"; content:"Passwordstate:"; content:"deleted"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003350; sid:5003350; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Document Deleted"; content:"Passwordstate:"; content:"deleted the document"; parse_src_ip: 1; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003351; sid:5003351; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Encryption Keys Exported"; content:"Passwordstate:"; content:"exported the encryption"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003352; sid:5003352; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Updated"; content:"Passwordstate:"; content:"updated the Password"; parse_src_ip: 1; classtype: misc-activity; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003353; sid:5003353; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Login Attempt Failed"; content:"Passwordstate:"; content:"Failed"; content:"login attempt"; parse_src_ip: 1; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003354; sid:5003354; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Deleted"; content:"Passwordstate:"; content:"deleted the Privileged Account Credential"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003355; sid:5003355; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Permissions Added"; content:"Passwordstate:"; content:"Privileged"; content:"added permissions"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003356; sid:5003356; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Permissions Removed"; content:"Passwordstate:"; content:"Privileged"; content:"removed permissions"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003357; sid:5003357; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Added"; content:"Passwordstate:"; content:"Security Administrator"; content:"added"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003358; sid:5003358; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Removed"; content:"Passwordstate:"; content:"Security Administrator"; content:"removed"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003359; sid:5003359; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Role Updated"; content:"Passwordstate:"; content:"Security Administrator"; content:"updated"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003360; sid:5003360; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Added"; content:"Passwordstate:"; content:"Group"; content:"added the"; content:"Security Group"; content:"to Passwordstate"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003361; sid:5003361; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Updated"; content:"Passwordstate:"; content:"updated"; content:"Security Group"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003362; sid:5003362; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Deleted"; content:"Passwordstate:"; content:"deleted"; content:"Security Group"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003363; sid:5003363; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Account Added to Security Group"; content:"Passwordstate:"; content:"Security Group"; content:"added"; content:"SysID"; content:"to the"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003364; sid:5003364; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Account Disabled"; content:"Passwordstate:"; content:"disabled the User Account"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003365; sid:5003365; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Removed From Security Group"; content:"Passwordstate:"; content:"from the Security Group"; content:"removed"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003366; sid:5003366; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Copied Between Password Lists"; content:"Passwordstate:"; content:"Copied from Password List"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003367; sid:5003367; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Deleted"; content:"Passwordstate:"; content:"deleted the password '"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003368; sid:5003368; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password History Exported"; content:"Passwordstate:"; content:"exported Historical"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003369; sid:5003369; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password List Deleted"; content:"Passwordstate:"; content:"deleted the Password List"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003370; sid:5003370; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Moved"; content:"Passwordstate:"; content:"moved the Password"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003371; sid:5003371; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Failed"; content:"Passwordstate:"; content:"failed to process the Password Reset"; parse_src_ip: 1; classtype: bad-unknown; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003372; sid:5003372; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Removed from Queue"; content:"Passwordstate:"; content:"Password Reset"; content:"removed"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003373; sid:5003373; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Task Updated"; content:"Passwordstate:"; content:"Password Reset"; content:"updated"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003374; sid:5003374; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Brute Force Login Attempt [5/5]"; content:"Passwordstate:"; content:"Failed"; content:"login attempt"; parse_src_ip: 1; set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5,seconds 300; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003375; sid:5003375; rev:1;)
Oops, something went wrong.

0 comments on commit a84b30b

Please sign in to comment.