Tweet to citrix-geoip to ignore "anonymous user" and new normalizatio…

…n rules.
beave · Feb 6, 2018 · d89f52c · d89f52c
1 parent 93b186e
commit d89f52c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/citrix-geoip.rules b/citrix-geoip.rules
@@ -28,7 +28,7 @@
 
 # Login from outside home country (Champ Clark / 04/01/2015)
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] Login from outside HOME_COUNTRY"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002260; sid:5002260; rev:3;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] Login from outside HOME_COUNTRY"; content: "SSLVPN LOGIN"; content:!"User anonymous"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002260; sid:5002260; rev:4;)
 
 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:3;)
 

diff --git a/normalization.rulebase b/normalization.rulebase
@@ -399,3 +399,14 @@ rule=: %-:string-to:User%User %username:word% logged in from %src-ip:ipv4% %-:re
 
 rule=: %-:string-to:Account Name:%Account Name: %username:char-to:\x40%%-:string-to:Client Address:%Client Address: ::ffff:%src-ip:ipv4% %-:rest%
 
+# Added 2017/02/06
+
+# These for Microsoft Windows events 6272: and 6273:
+#6273: Network Policy Server denied access to a user.
+
+rule=: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Called Station Identifier:%Called Station Identifier: %nasMAC:char-to  :\ x3a%:%-:string-to:Calling Station Identifier:%Calling Station Identifier: %userMAC:char-to  :\ x20% %-:string-to:NAS IPv4 Address:%NAS IPv4 Address: %nasIP:ipv4% %-:string-to:NAS Identifier:%NAS Identifier: %nasHost:word% %-:string-to:Reason Code:%Reason Code: %reasonCode:word% %-:rest%
+
+#6272: Network Policy Server granted access to a user
+
+rule=: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Called Station Identifier:%Called Station Identifier: %nasMAC:char-to  :\ x3a%:%-:string-to:Calling Station Identifier:%Calling Station Identifier: %userMAC:char-to  :\ x20% %-:string-to:NAS IPv4 Address:%NAS IPv4 Address: %nasIP:ipv4% %-:string-to:NAS Identifier:%NAS Identifier: %nasHost:word% %-:string-to:Result:%Result: %reasonCode:word% %-:rest%
+