New AS/400 rules.....

.last_used_sid

@@ -1 +1 @@
-5003392
+5003780

as400.rules

@@ -0,0 +1,68 @@
+# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
+# All rights reserved.
+#
+# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
+#
+#*************************************************************
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
+#  following conditions are met:
+#
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#*************************************************************
+
+# These rules were created from output from iSecurity for AS/400's.  The signature are probably 
+# generic enough to work with anything. 
+# https://seasoft.com/products/solutions-for-ibm-i/audit-compliance-management/isecurity-syslog
+
+# 10.16.10.200|local6|crit|crit|b2|2018-04-27|13:28:13|CSYS| iSecurity/Audit: MPW1600 PW/P *AUTFAIL An incorrect password was entered. User GUEST. Device XXXXXXXX. Remote location . Local location . Network Id .
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL An incorrect password was entered"; content: " MPW1600 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003771; sid:5003771; rev:1;)
+
+# 10.16.101.200|local6|alert|alert|b1|2018-03-19|11:39:12|CSYS| iSecurity/Audit: MPW1800 PW/R *AUTFAIL Attempted signon (user authentication) failed because password was expired.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL fail - password expired [no username]"; content: " MPW1800 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003772; sid:5003772; rev:1;)
+
+# 10.16.101.200|local6|alert|alert|b1|2018-03-19|05:25:26|CSYS| iSecurity/Audit: MVP1600 VP/P *AUTFAIL User GUEST; An incorrect network password was used. Server *SYSTEM. Computer ::ffff:1.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - incorrect network password was used; content: " MVP1600 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003773; sid:5003773; rev:1;)
+
+# 10.16.101.200|local6|alert|alert|b1|2018-03-14|14:41:26|CSYS| iSecurity/Audit: MAF0100 AF/A *AUTFAIL User GUEST; Not authorized to object QSYS/XXXXXXX *LIB in program /. Path name .
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Not authorized to object"; content: " MAF0100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003774; sid:5003774; rev:1;)
+
+# 10.16.101.200|local6|crit|crit|b2|2018-03-23|17:32:56|CSYS| iSecurity/Audit: MPW2100 PW/U *AUTFAIL User name GUEST not valid. Device . Remote location . Local location . Network Id .
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - User name not valid"; content: " MAF0100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003775; sid:5003775; rev:1;)
+
+# 10.16.101.200|local6|err|err|b3|2018-03-19|19:33:32|CSYS| iSecurity/Audit: MAF1100 AF/K *AUTFAIL User GUEST attempted to perform an operation on QSYS/QTEDBGS *SRVPGM without the required Special Authority. JOB 111111/GUEST/XXXXXXXXXX.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Operation SVRPGM wihtout authority"; content: " MAF1100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003776; sid:5003776; rev:1;)
+
+# 10.16.101.200|local6|alert|alert|b1|2018-04-27|14:01:07|CSYS| iSecurity/Audit: MPW1700 PW/Q *AUTFAIL User GUEST. Attempted signon (user authentication) failed because user GUEST profile was disabled.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Failed because profile was disabled"; content: " MPW1700 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003777; sid:5003777; rev:1;)
+
+# Might be noisey
+#
+# 10.16.101.200|local6|alert|alert|b1|2018-03-12|20:07:26|CSYS| iSecurity/Audit: MAF0100 AF/A *AUTFAIL User GUEST; Not authorized to object *N/*N *DIR in program /. Path name /home/GUEST.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - User not authorized to object"; content: " MAF0100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003778; sid:5003778; rev:1;)
+
+# 10.16.101.200|local6|notice|notice|b5|2018-04-24|18:18:50|CSYS| iSecurity/Audit: MAD2100 AD/U *SECURITY User GUEST; XXXXXXX used to change auditing of user GUEST. Job 111111/GUEST/XXXXXXXXX.
+
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Changed audit status of user"; content: " MAD2100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003779; sid:5003779; rev:1;)
+

normalization.rulebase

@@ -453,4 +453,9 @@ rule=: %-:string-to:User%User %username:word% %-:char-to:\\%\ %src-ip:char-to:\x
 
 rule=: %-:string-to:Account Name:%Account Name: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Network Address:%Network Address: %src-ip:ipv4% %-:rest%
 
+# AS/400 rules (as400.rules)
+
+rule=: iSecurity/Audit: %-:word% %-:word% *AUTFAIL An incorrect password was entered. User %username:word% %-:rest%
+rule=: iSecurity/Audit: %-:word% %-:word% *AUTFAIL User %username:word% %-:rest%
+rule=: iSecurity/Audit: %-:word% %-:word% *SECURITY User %username:word% %-:rest%
 

sagan-sid-msg.map

@@ -3622,6 +3622,15 @@
 5003768 || [WINDOWS-SECURITY] System audit policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003768 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md
 5003769 || [WINDOWS-SECURITY] SID History was added to an account || url,wiki.quadrantsec.com/bin/view/Main/5003769 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md
 5003770 || [WINDOWS-SECURITY] An attempt to add SID History to an account failed || url,wiki.quadrantsec.com/bin/view/Main/5003770 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md
+5003771 || [AS400] AUTFAIL An incorrect password was entered || url,wiki.quadrantsec.com/bin/view/Main/5003771
+5003772 || [AS400] AUTFAIL fail - password expired [no username] || url,wiki.quadrantsec.com/bin/view/Main/5003772
+5003773 || [AS400] AUTFAIL - incorrect network password was used; content: " MVP1600  || url,wiki.quadrantsec.com/bin/view/Main/5003773
+5003774 || [AS400] AUTFAIL - Not authorized to object || url,wiki.quadrantsec.com/bin/view/Main/5003774
+5003775 || [AS400] AUTFAIL - User name not valid || url,wiki.quadrantsec.com/bin/view/Main/5003775
+5003776 || [AS400] AUTFAIL - Operation SVRPGM wihtout authority || url,wiki.quadrantsec.com/bin/view/Main/5003776
+5003777 || [AS400] AUTFAIL - Failed because profile was disabled || url,wiki.quadrantsec.com/bin/view/Main/5003777
+5003778 || [AS400] AUTFAIL - User not authorized to object || url,wiki.quadrantsec.com/bin/view/Main/5003778
+5003779 || [AS400] AUTFAIL - Changed audit status of user || url,wiki.quadrantsec.com/bin/view/Main/5003779
 6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)
 6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)
 6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)