首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

OSSIM/sagan-rules

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
cisco-bluedot.rules 8.34 KB
一键复制 编辑 原始数据 按行查看 历史
Champ Clark III 提交于 2020-05-19 11:48 . Date bump! New proofpoint rules!
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
# Sagan cisco-bluedot.rules

# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>

# All rights reserved.

#

# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list

#

#*************************************************************

#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

#  following conditions are met:

#

#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following

#    disclaimer.

#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

#    following disclaimer in the documentation and/or other materials provided with the distribution.

#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived

#    from this software without specific prior written permission.

#

#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,

#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#





alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious TCP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " TCP "; content:!" bytes 0 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 1, seconds 7200; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002868; sid: 5002868; rev:7;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious UDP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " UDP "; content:!" bytes 0 "; content:!"|2f|123 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 1, seconds 7200; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002869; sid: 5002869; rev:9;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious ICMP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " ICMP "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 1, seconds 7200; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002879; sid:5002879; rev:8;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious GRE connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " GRE "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002880; sid:5002880; rev:8;)



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN Login from suspicious source"; program: %ASA*-6-716038; bluedot: type ip_reputation, track all, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002870; sid:5002870; rev: 5;)



# %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Console login from suspicious source"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002871; sid:5002871; rev: 4;)



# 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob"



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Login permitted from suspicious source"; program: %ASA*-6-605005; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype:  successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002872; sid:5002872; rev: 4;)



# WebVPN



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN login from suspicious source"; program: %ASA*-6-716001|%ASA*-6-716038; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002873; sid:5002873; rev: 4;)



# Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN disconnect from suspicious source"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002874; sid:5002874; rev: 5;)



# 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN/AnyConnect login from suspicious source"; program: %ASA*-6-734001; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002875; sid:5002875; rev: 4;)



# Cisco ACS (via VPN) - authentication success

# 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated.,



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] ACS Login success from suspicious source"; program: CisACS_01_PassedAuth; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002876; sid:5002876; rev: 4;)



# 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA*-6-722022| Group <GroupPolicy1> User <Bob> IP <10.10.102.102> UDP SVC connection established without compression



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN login from suspicious source [2]"; program: %ASA*-6-722022|%ASA*-6-722023; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002877; sid:5002877; rev: 4;)



# 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA*-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile



alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] FTP file transfer from or to  suspicious source"; program: %ASA*-6-303002; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002878; sid: 5002878; rev: 5;)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化