Permalink
Browse files

Updates to sonicwall.rules

  • Loading branch information...
Champ Clark III
Champ Clark III committed Sep 13, 2018
1 parent 1a78999 commit f590bf474bc4baa2876957a49a42d3c074a316ff
Showing with 23 additions and 21 deletions.
  1. +23 −21 sonicwall.rules
@@ -25,30 +25,32 @@
#
#*************************************************************
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; default_proto: tcp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001083; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; default_proto: udp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; default_proto: tcp; parse_src_ip: 2; parse_dst_ip: 3; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001083; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; default_proto: udp; parse_src_ip: 2; parse_dst_ip: 3; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:4;)
# These where created by Kevin Gross (kgross@quadrantsec.com)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible restart for system maintenance"; content: "As per Diagnostic Auto-restart configuration request, restarting system"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002601; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Auto-Dial Failure"; content: "auto-dial failed: Current Connection Model is configured as Ethernet Only"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002602; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Down"; content: "Ethernet Port Down"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002603; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Up"; content: "Ethernet Port Up"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002604; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Registration Update Needed"; content: "Registration Update Needed"; content: "Restore your existing security service subscRIPtions by clicking"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002605; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Device Detected"; content: "3G"; content: "device detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002606; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Data Limit Reached"; content: "3G"; content: "data usage limit reached"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002607; rev:3; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No 3G Sim Card Detected"; content: "3G"; content: "No SIM detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002608; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Preferences File Inaccessable"; content: "A prior version of preferences was loaded because the most recent preferences file was inaccessible"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002609; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] OS Upgrade Performed"; content: "A SonicOS Standard to Enhanced Upgrade was performed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002610; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Attempted access from host out of compliance with GSC policy"; content: "Access attempt from host out of compliance with GSC policy"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002611; rev:3; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Auto-Dial Failure"; content: "auto-dial failed: Current Connection Model is configured as Ethernet Only"; classtype: system-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002602; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Down"; content: "Ethernet Port Down"; classtype: hardware-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002603; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Up"; content: "Ethernet Port Up"; classtype: hardware-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002604; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Registration Update Needed"; content: "Registration Update Needed"; content: "Restore your existing security service subscRIPtions by clicking"; classtype: system-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002605; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Device Detected"; content: "3G"; content: "device detected"; classtype: hardware-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002606; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Data Limit Reached"; content: "3G"; content: "data usage limit reached"; classtype: system-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002607; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No 3G Sim Card Detected"; content: "3G"; content: "No SIM detected"; classtype: hardware-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002608; rev:3; )
# This rule's content is bad, bad.
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Preferences File Inaccessable"; content: "A prior version of preferences was loaded because the most recent preferences file was inaccessible"; classtype: system-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002609; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] OS Upgrade Performed"; content: "A SonicOS Standard to Enhanced Upgrade was performed"; classtype: system-event; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002610; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Attempted access from host out of compliance with GSC policy"; content: "Access attempt from host out of compliance with GSC policy"; classtype: configuration-error; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002611; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Access attempt from host without Anti-Virus agent installed"; content: "Access attempt from host without Anti-Virus agent installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002612; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services"; content: "Access attempt from host without GSC installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002613; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Added"; content: "Access rule added"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002614; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Deleted"; content: "Access rule deleted"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002615; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Modified"; content: "Access rule modified"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002616; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule reset to defaults"; content: "Access rules restored to defaults"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002617; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Accept attempt from host without GSC"; content: "Access attempt from host without GSC installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002613; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Added"; content: "Access rule added"; classtype: configuration-change; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002614; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Deleted"; content: "Access rule deleted"; classtype: configuration-change; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002615; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Modified"; content: "Access rule modified"; classtype: configuration-change; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002616; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule reset to defaults"; content: "Access rules restored to defaults"; classtype: configuration-change; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002617; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access to proxy server denied"; content: "Access to proxy server denied"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002618; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX access denied"; content: "ActiveX access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002619; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX or Java archive access denied"; content: "ActiveX or Java archive access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002620; rev:3; )
@@ -129,10 +131,10 @@ alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detecti
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible RST Flood"; content: "Possible RST Flood"; classtype: attempted-dos; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002695; rev:4; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible SYN Flood"; content: "Possible SYN Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002696; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Priority attack dropped"; content: "Priority attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002697; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable port scan detected"; content: "Probable port scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002698; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP FIN scan detected"; content: "Probable TCP FIN scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002699; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP NULL scan detected"; content: "Probable TCP NULL scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002700; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected"; content: "Probable TCP XMAS scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002701; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable port scan detected"; content: "Probable port scan detected"; classtype: network-scan; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002698; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP FIN scan detected"; content: "Probable TCP FIN scan detected"; classtype: network-scan; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002699; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP NULL scan detected"; content: "Probable TCP NULL scan detected"; classtype: network-scan; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002700; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected"; content: "Probable TCP XMAS scan detected"; classtype: network-scan; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002701; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon attempt"; content: "Probing failure on"; classtype: attempted-recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002702; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Recon attempt"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002703; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware - Clock battery has failed"; content: "Real time clock battery failure Time values may be incorrect"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002704; rev:2; )

0 comments on commit f590bf4

Please sign in to comment.