首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

OSSIM/sagan-rules

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
vsftpd-correlated.rules 4.98 KB
一键复制 编辑 原始数据 按行查看 历史
Champ Clark III 提交于 2020-05-19 11:48 . Date bump! New proofpoint rules!
12345678910111213141516171819202122232425262728293031323334353637
# Sagan vsftpd-correlated.rules

# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>

# All rights reserved.

#

# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list

#

#*************************************************************

#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the

#  following conditions are met:

#

#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following

#    disclaimer.

#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the

#    following disclaimer in the documentation and/or other materials provided with the distribution.

#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived

#    from this software without specific prior written permission.

#

#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,

#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#

#*************************************************************



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after recon activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,recon,track ip_src; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003329; sid:5003329; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after honeypot activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,honeypot,track ip_src; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003330; sid:5003330; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after exploit attempt"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,exploit_attempt,track ip_src; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003331; sid:5003331; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after brute force activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,brute_force,track ip_src; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003332; sid:5003332; rev:3;)



alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after recon activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,recon,track ip_src; program: vsftpd; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003333; sid:5003333; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after honeypot activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,honeypot,track ip_src; program: vsftpd; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003334; sid:5003334; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after exploit attempt"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,exploit_attempt,track ip_src; program: vsftpd; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003335; sid:5003335; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after brute force activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,brute_force,track ip_src; program: vsftpd; threshold: type suppress, track by_src, count 5, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003336; sid:5003336; rev:3;)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化