首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

OSSIM/sagan-rules

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
fortinet-correlated.rules 8.76 KB
一键复制 编辑 原始数据 按行查看 历史
Champ Clark III 提交于 2020-05-19 11:48 . Date bump! New proofpoint rules!
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950
# Sagan fortinet-correlated.rules

# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>

# All rights reserved.

#

# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list

#

#*************************************************************

#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

#  following conditions are met:

#

#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following

#    disclaimer.

#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

#    following disclaimer in the documentation and/or other materials provided with the distribution.

#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived

#    from this software without specific prior written permission.

#

#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,

#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#

#*************************************************************



alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after recon activity"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; xbits: isset,recon,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003265; sid:5003265; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after honeypot activity"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; xbits: isset,honeypot,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003266; sid:5003266; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after exploit attempt"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; xbits: isset,exploit_attempt,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003267; sid:5003267; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted brute force activity"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; xbits: isset,bruce_force,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003268; sid:5003268; rev:4;)



#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after suspicious activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002372; sid:5002372; rev:6;)



alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after recon activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,recon,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003269; sid:5003269; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after honeypot activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,honeypot,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003270; sid:5003270; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after exploit attempt"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,exploit_attempt,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003271; sid:5003271; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after brute force activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,brute_force,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003272; sid:5003272; rev:3;)



alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after recon activity"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,recon,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003273; sid:5003273; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after honeypot activity"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,honeypot,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003274; sid:5003274; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after exploit attempt"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,exploit_attempt,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003275; sid:5003275; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after brute force"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,brute_force,track ip_src; classtype: correlated-attack; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003276; sid:5003276; rev:3;)





alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after recon activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,recon,track ip_src; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003277; sid:5003277; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after honeypot activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,honeypot,track ip_src; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003278; sid:5003278; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after exploit attempt"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,exploit_attempt,track ip_src; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003279; sid:5003279; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after brute force activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,brute_force,track ip_src; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003280; sid:5003280; rev:3;)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化