master

分支 (2)

管理

管理

master

gh-pages

sagan-rules
/
fingerprint.rules

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"airportd service detected"; program: airportd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100000; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"com.apple.xpc.launchd service detected"; program: com.apple.xpc.launchd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100001; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"powerd service detected"; program: powerd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100002; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"syspolicyd service detected"; program: syspolicyd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100003; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"usernoted service detected"; program: usernoted; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100004; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"hidd service detected"; program: hidd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100005; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"acpid service running"; program: acpid; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100006; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"eSMTP or lSMTP detected"; program: amavis|amavis-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100007; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"anacron service detected"; program: anacron; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100008; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Apache web server running"; program: apache|apache2|httpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100009; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"auditd service running"; program: auditd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100010; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"bash shell in use"; program: bash|-bash; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100011; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"certbot execution for TLS/SSL cert updates"; program: certbot; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100012; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"clamd anti-virus detected"; program: clamd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100013; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"ksh shell in use"; program: ksh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100014; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"tcsh shell in use"; program: tcsh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100015; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"csh shell in use"; program: csh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100016; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic /bin/sh shell in use"; program: sh|-sh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100017; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"HP Hardware services detected"; program: hpasrd|hpasmlited|cmaeventd|cmaidad|cmanicd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100018; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic crond detected"; program: cron|CRON|CROND; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100019; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Cuckoo malware analysis detected"; program: cuckoo; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100020; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Daemonlogger full packet capture engine"; program: daemonlogger; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100021; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dbus service detected"; program: dbus; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100022; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dhclient service detected"; program: dhclient; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100023; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dhcpd - DHCP server detected"; program: dhcpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100024; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"exim4 SMTP service detected"; program: exim4; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100025; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Firefox web browser detected"; program: firefox; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100026; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"SysV init service detected"; program: init; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100029; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Unix 'kernel' messages detected"; program: kernel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100030; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"knockd service detected"; program: knockd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100031; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"mattermost"; program: mattermost; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100032; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"MySQL services detected"; program: mysql|mysqld|MySQL; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100033; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"nginx web server running"; program: nginx; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100034; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Linux name service cache daemon detected"; program: nscd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100035; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Network Time Protocol Server detected"; program: ntpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100036; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"opendkim for SMTP services detected"; program: opendkim; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100037; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"OpenVPN services detected"; program: openvpn|ovpn-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100038; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Postfix SMTP services detected"; program: postfix|postfix/*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100039; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"procmail"; program: procmail; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100040; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"rsync client execution"; program: rsync; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100041; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"rsyncd service detected"; program: rsyncd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100042; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"RSyslog detected"; program: rsyslogd|rsyslogd-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100043; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Sagan detected!!"; program: sagan; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100044; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"SASL authentication daemon detected"; program: saslauthd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100045; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Synology Command Execution Management Daemon"; program: scemd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100046; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Sendmail detected"; program: sendmail|sm-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100047; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"slapd ldap daemon"; program: slapd ldap daemon; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100048; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"snmpd service running"; program: snmpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100050; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"snmptrapd service running"; program: snmptrapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100051; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Snort IDS engine"; program: snort; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100052; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"sshd detected"; program: sshd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100053; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"sSMTP service detected"; program: sSMTP; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100054; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"stunnel service detected"; program: stunnel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100055; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Suricata IDS engine is running"; program: suricata; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100056; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic syslog service detected"; program: syslog|syslogd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100057; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"syslog-ng service detected"; program: syslog-ng; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100059; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"systemd detected"; program: systemd|systemd-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100060; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"unattended-upgrade (Debian/Ubuntu) detected"; program: unattended-upgrade; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100062; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"yk_chkpwd - Yubikey usage"; program: yk_chkpwd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100063; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Zimbra services running"; program: zimbra|zimbra*|zmconfigd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100064; rev:1;)

# -----

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Proftp detected"; program: proftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100065; sid:5100065; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "APC-EMU logs detected"; program: EMU; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100066; sid:5100066; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Arpalert or Arpwatch logs detected"; program: arpalert|arpwatch; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100067; sid:5100067; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Asterisk Phone system detected detected"; program: asterisk; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100068; sid:5100068; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Bind/DNS server detected"; program: named; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100069; sid:5100069; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Bit9 detected"; program: bit9; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100070; sid:5100070; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Bro/Zeek detected"; program: bro|zeek; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100071; sid:5100071; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Cisco ASA detected"; program: %ASA*|%FWSM*; metadata: fingerprint_source logs, fingerprint_os ios, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100072; sid:5100072; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Courier/IMAP detected"; program: imapd|imapd-sslcourierlogger; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100073; sid:5100073; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "DigitalPersona detected"; program: DigitalPersona*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100074; sid:5100074; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Dovecot detected"; program: dovecot; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100075; sid:5100075; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "FIPAYPIN detected"; program: *PIPAYPIN*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100076; sid:5100076; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Gerneric FTPD detected"; program: ftpd|ftp|FTP|FTPD; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100077; sid:5100077; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Grsec detected"; program: grsec; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100078; sid:5100078; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Honeyd detected"; program: honeyd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100079; sid:5100079; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Hostapd detected"; program: hostapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100080; sid:5100080; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "IMAPD detected"; program: imapd|imapd-ssl; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100081; sid:5100081; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "IPOP3D detected"; program: ipop3d; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100082; sid:5100082; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Juniper detected"; program: Juniper; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100083; sid:5100083; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Kismet_Server detected"; program: kismet_server; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100084; sid:5100084; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SMTP milter detected"; program: mimedefang|smf-sav; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100085; sid:5100085; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "MongoDB server detected"; program: mongodb; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100086; sid:5100086; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "NeXpose detected"; program: NeXpose; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100087; sid:5100087; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Nfcapd detected"; program: nfcapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100088; sid:5100088; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Postgres detected"; program: postgres; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100089; sid:5100089; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "pptpd detected"; program: pptpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100090; sid:5100090; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " PureFTP server detected"; program: pure-ftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100091; sid:5100091; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Racoon detected"; program: racoon; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100092; sid:5100092; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Riverbed detected"; program: webasd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100093; sid:5100093; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Samba server detected"; program: smbd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100094; sid:5100094; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Squid server detected"; program: squid; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100095; sid:5100095; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SSH-Tectia-Server detected"; program: SSH_Tectia_Server; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100096; sid:5100096; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "su/sudo detected"; program: -su|su|sudo; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100097; sid:5100097; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Symantec EMS detected"; program: pgp/client; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100098; sid:5100098; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Telnet service detected"; program: telnetd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100099; sid:5100099; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Trendmicro Antivirus Service detected"; program: TMCM; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100100; sid:5100100; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tripwire detected"; program: tripwire; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100101; sid:5100101; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Vmpop3d service detected"; program: vm-pop3d; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100102; sid:5100102; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VMWare ESXi detected"; program: vmware-hostd|vmware-authd|Hostd|vmkernel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100103; sid:5100103; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VPopmail detected"; program: vpopmail; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100104; sid:5100104; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VSFTPD server detected"; program: vsftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100105; sid:5100105; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Microsoft MSSQL server detected"; program: MSSQL*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100106; sid:5100106; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Windows Sysmon detected"; program: Sysmon; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100107; sid:5100107; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Wordpress detected"; program: WPsyslog; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100116; sid:5100116; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "xinetd detected"; program: xinetd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100108; sid:5100108; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Zeus detected"; program: zeus; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100109; sid:5100109; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Cisco ISE detected"; program: CISE_Passed_Authentications|CISE_Failed_Attempts|CSCOacs_Failed_Attempts; metadata: fingerprint_source logs, fingerprint_os ios, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100110; sid:5100119; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " AS400 Server detected"; metadata: fingerprint_source logs, fingerprint_os as400, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; meta_content: " %sagan% ",MPW1600,MPW1800,MVP1600,MPW2100,MAF1100,MPW1700,MAF0100,MAD2100;classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100111; sid:5100111; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "AS400 Server detect - 2"; metadata: fingerprint_source logs, fingerprint_os as400, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: CSYS; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100112; sid:5100112; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Office365 detect"; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; meta_content: "%sagan%",ALERT_ANUBIS_DETECTION_VELOCITY,ALERT_CABINET_EVENT_MATCH_AUDIT,ALERT_ANUBIS_DETECTION_NEW_COUNTRY,ALERT_DISCOVERY_ANOMALY_DETECTION,ALERT_CABINET_EVENT_MATCH_FILE,ALERT_CABINET_INLINE_EVENT_MATCH,ALERT_CABINET_EVENT_MATCH_OBJECT,ALERT_CABINET_DISCOVERY_NEW_SERVICE,ALERT_PERSONAL_USER_SAGE,ALERT_GEOLOCATION_NEW_COUNTRY,ALERT_ADMIN_USER,ALERT_ZOMBIE_USER,ALERT_NEW_ADMIN_LOCATION,ALERT_COMPROMISED_ACCOUNT,EVENT_CATEGORY_LOGOUT,EVENT_CATEGORY_LOGIN,EVENT_CATEGORY_CREATE_USER,EVENT_CATEGORY_DELETE_USER,ALERT_ANUBIS_DETECTION_REPEATED_ACTIVIY,ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_ADMIN_ACTIVITY,ALERT_MANAGEMENT_DISCOVERY_BREACHED_APP; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100113; sid:5100113; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Watchguard detect"; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: WatchGuard*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100114; sid:5100114; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Oracle server detect"; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; content: "RETURNCODE|3a|["; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100115; sid:5100115; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Zscaler detect"; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; content: "requestClientApplication|3d|"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100117; sid:5100117; rev:1;)

# ---

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Microsoft Windows detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: *Microsoft*|*Security*|*Application*|Ntfs|USER32|Service*|*System*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100118; sid:5100118; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "NXLog detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: nxlog; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100132; sid:5100132; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "DHCP-Server detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: nxlog; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100120; sid:5100120; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "MS-SQL service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: MSSQL*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100121; sid:5100121; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Terminal Services detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: TermService; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100122; sid:5100122; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Sysmon detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: Sysmon; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100123; sid:5100123; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Symantec detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: *Symantec*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100124; sid:5100124; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Applocker detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: AppLocker; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100125; sid:5100125; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VNC detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: *VNC*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100126; sid:5100126; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Apple Bonjour service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: Bonjour; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100127; sid:5100127; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SNMP service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; event_id: 1001; program: SNMP; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100128; sid:5100128; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Google updater detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; content: "Google update service is active"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100129; sid:5100129; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tenable security tool detected [1]"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: Tenable; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100130; sid:5100130; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tenable security tool detected [2]"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; content: "Tenable Nessus"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100131; sid:5100131; rev:1;)