Permalink
Browse files

New xbits:noeve; added to some rules...

  • Loading branch information...
Champ Clark III
Champ Clark III committed May 24, 2018
1 parent b15dca5 commit f2d8fc53613118203a3d6d5e888b477dff979be4
Showing with 8 additions and 8 deletions.
  1. +1 −1 bash.rules
  2. +1 −1 nfcapd.rules
  3. +1 −1 nxlog.rules
  4. +1 −1 palo-alto.rules
  5. +1 −1 windows-auth.rules
  6. +1 −1 windows-correlated.rules
  7. +1 −1 windows-misc.rules
  8. +1 −1 windows-sysmon.rules
@@ -71,7 +71,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Perl subproces executi
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby socket execution"; content:"HISTORY"; content:"ruby"; content:"ocket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002313; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby subproces execution"; content:"HISTORY"; content:"ruby"; content:"exec"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002314; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] mknod execution [XBIT SET]"; content:"HISTORY"; content:"mknod"; xbits:set,mknod_executed,60; xbits:nounified2; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002315; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] mknod execution [XBIT SET]"; content:"HISTORY"; content:"mknod"; xbits:set,mknod_executed,60; xbits:nounified2; xbits:noeve; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002315; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet reverse shell execution"; content:"HISTORY"; content:"telnet"; xbits:isset,by_src,mknod_executed; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002316; rev:3;)
@@ -82,7 +82,7 @@ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Telnet Traffic Dete
# Tor traffic via nfcapd - Robert Nunley 05/08/2015
#alert any $HOME_NET any -> $EXTERNAL_NET any(msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize; content: "/9001, protocol|3a| TCP,"; xbits: set, tor_traffic, 15; xbits:nounified2; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 9001; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev:9;)
#alert any $HOME_NET any -> $EXTERNAL_NET any(msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize; content: "/9001, protocol|3a| TCP,"; xbits: set, tor_traffic, 15; xbits:nounified2; xbits:noeve; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 9001; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev:10;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize; content: "/9030, protocol|3a| TCP,"; xbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 9030; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev:7;)
@@ -34,5 +34,5 @@ alert any any any -> any any (msg: "[NXLOG] Service stopping"; content: "stoppin
alert any any any -> any any (msg: "[NXLOG] Missing Windows Log Message"; pcre: "/ [0-9][0-9][0-9][0-9]?: $/"; program: *Security*|AppLocker|Application|Backup|Bonjour|CPQCISSE|Citrix|DAC|DHCP-Server|EMET|Eventlog|MSSQL*|MsiInstaller|NtFrs|Ntfs|RemoteAccess|Service|Service_Control_Manager|Symantec|Sysmon|System|USER32|Tenable|TermService|The|WinVNC4|crypt32; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,nxlog_problem,86400; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003111; sid:5003111; rev:6;)
alert any any any -> any any (msg: "[NXLOG] Service restart to correct problem [CLEAR XBIT]"; content: "stopping nxlog service"; xbits: isnotset,by_src,reboot.windows; xbits: isset,by_src,nxlog_problem; xbits: unset,by_src,nxlog_problem; xbits:nounified2; classtype: system-event; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003125; sid:5003125; rev:1;)
alert any any any -> any any (msg: "[NXLOG] Service restart to correct problem [CLEAR XBIT]"; content: "stopping nxlog service"; xbits: isnotset,by_src,reboot.windows; xbits: isset,by_src,nxlog_problem; xbits: unset,by_src,nxlog_problem; xbits:nounified2; xbits:noeve; classtype: system-event; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003125; sid:5003125; rev:2;)
@@ -58,7 +58,7 @@ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url Blocked by p
#####
##### Following rule is used in conjunction with meta_content variable IGNOREDL and set silent xbit which are checked in rule 5002762
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url silent xbit set"; content:",THREAT,url,"; content:!",block-url,"; meta_content: "%sagan%",$IGNOREDL; meta_nocase; xbits:set,downloadnolog,60; xbits:nounified2; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002754; rev:4;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url silent xbit set"; content:",THREAT,url,"; content:!",block-url,"; meta_content: "%sagan%",$IGNOREDL; meta_nocase; xbits:set,downloadnolog,60; xbits:nounified2; xbits:noeve; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002754; rev:5;)
#####VIRI
@@ -195,7 +195,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Lo
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:8;)
# Account "re-enabled" via xbit (12/03/2013)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [XBIT SET]"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; xbits: set, created_enabled, 30; xbits:nounified2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [XBIT SET]"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; xbits: set, created_enabled, 30; xbits:nounified2; xbits:noeve; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: *Security*; xbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:6;)
# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014
@@ -51,7 +51,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspici
# -- WMIC commands/execution across a network
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; content: " 4688|3a| "; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; xbits: set,wmiprvse,1; xbits:nounified2; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003385; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003385; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; content: " 4688|3a| "; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; xbits: set,wmiprvse,1; xbits:nounified2; xbits:noeve; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003385; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003385; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; content:!"Source Network Address|3a| -"; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:1;)
@@ -107,7 +107,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: *Security*; sid:5002275; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [XBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows,900; xbits:nounified2; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:22;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [XBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows,900; xbits:nounified2; xbits:noeve; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:23;)
# Added by Brian Echeverry (09/22/2015)
@@ -87,4 +87,4 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possi
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; content: " 1|3a| "; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: isset,by_src,creddump; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003390; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype: suspicious-command; sid:5003390; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; content: " 1|3a| "; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: set,creddump,1; xbit: nounified2; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003391; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype: suspicious-command; sid:5003391; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; content: " 1|3a| "; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: set,creddump,1; xbit: nounified2; xbits:noeve; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003391; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype: suspicious-command; sid:5003391; rev:2;)

0 comments on commit f2d8fc5

Please sign in to comment.