首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

OSSIM/sagan-rules

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
su.rules 5.26 KB
一键复制 编辑 原始数据 按行查看 历史
Champ Clark III 提交于 2020-05-19 11:48 . Date bump! New proofpoint rules!
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
# Sagan su.rules

# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>

# All rights reserved.

#

# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list

#

#*************************************************************

#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

#  following conditions are met:

#

#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following

#    disclaimer.

#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

#    following disclaimer in the documentation and/or other materials provided with the distribution.

#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived

#    from this software without specific prior written permission.

#

#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,

#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#

#*************************************************************

# This is for both "su" and "sudo"



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] SUDO user NOT in sudoers"; content:"user NOT in sudoers"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000024; sid: 5000024; rev:2;)

drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure - Brute force [3/5]"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; after: track by_src, count 3, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000025; sid: 5000025; rev:7;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5001526; sid: 5001526; rev:3;) 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000027; normalize; sid: 5000027; rev:4;)

drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:5;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:2;)



# The will catch "sudo su -" and "sudo -i".  It will NOT catch "sudo su - {username}" (for example : "sudo su - oracle")

# Steve Rawl's modications.

# 2018/09/25



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; pcre: "/COMMAND=(?!([A-Za-z0-9_.\/-]+)?su\s-\s[A-Za-z0-9]+)/"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:9;)



# This will catch attempts to "sudo su - root".

# 2018/09/25



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to user ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; content: "su - root"; classtype: successful-admin; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5003928; sid:5003928; rev:1;)



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:4;)



#  Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] root password change attempt"; content:"passwd"; content: "root"; content:"HISTORY"; classtype: suspicious-command; program: -su|su; reference: url,wiki.quadrantsec.com/bin/view/Main/5002566; sid: 5002566; rev:3;)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化