Permalink
Browse files

Renamed a vsftpd-correlated rule

  • Loading branch information...
Champ Clark III
Champ Clark III committed Nov 7, 2017
1 parent 8557a59 commit df9281a5ab10a3239412981460c4b44c4744f695
Showing with 3 additions and 2 deletions.
  1. +1 −1 sagan-sid-msg.map
  2. +2 −1 vsftpd-correlated.rules
@@ -2286,7 +2286,7 @@
5002386 || [VMWARE-CORRELATED] User login successful after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002386
5002387 || [VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002387
5002388 || [VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002388
5002389 || [VSFTPD-CORRELATED] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002389
5002389 || [VSFTPD-CORRELATED] Authentication after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002389
5002390 || [VSFTPD-CORRELATED] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002390
5002391 || [WINDOWS-OWA-CORRELATED] Login failure after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002391
5002392 || [WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures || url,wiki.quadrantsec.com/bin/view/Main/5002392
@@ -25,6 +25,7 @@
#
#*************************************************************
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5002389; sid:5002389; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after suspicious activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5002389; sid:5002389; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002390; sid:5002390; rev:3;)

0 comments on commit df9281a

Please sign in to comment.