代码拉取完成,页面将自动刷新
windows-blacklist.rules
31.41 KB
Champ Clark III
提交于
2020-05-19 11:48
.
Date bump! New proofpoint rules!
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
# Sagan windows-blacklist.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# *************************************************************
# Windows blacklist rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: *Security*; event_id: 4724,528,540; content: "Logon Type|3a| 10 "; blacklist: by_src; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002215; sid: 5002215; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: *Security*; event_id: 529; classtype: unsuccessful-user; blacklist: by_src; threshold: type suppress, track by_src, count 5, seconds 300; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002216; sid: 5002216; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; event_id: 530; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; threshold: type suppress, track by_src, count 5, seconds 300; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002217; sid: 5002217; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; event_id: 531; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002218; sid: 5002218; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; event_id: 532; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002219; sid: 5002219; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; event_id: 533; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002220; sid: 5002220; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; event_id: 539; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_src; threshold: type suppress, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002222; sid: 5002222; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; event_id:675,676,681; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002223; sid: 5002223; rev:6;)
# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; event_id: 4625,4776; content:!"$ Source"; content:!"$ Account Domain|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002509; sid: 5002509; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; event_id: 4625,4776; content:!"$ Account Domain|3a| "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002510; sid: 5002510; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; event_id: 4625,4776; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002511; sid: 5002511; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; event_id: 4625,4776; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002512; sid: 5002512; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; event_id: 4625,4776; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002513; sid: 5002513; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; event_id: 4625,4776; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002514; sid: 5002514; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; event_id: 4625,4776; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002515; sid: 5002515; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; event_id: 4771,4768,675,676,681; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002516; sid: 5002516; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; event_id: 4771,4768,675,676,681; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002517; sid: 5002517; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; event_id: 4771,4768,675,676,681; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002518; sid: 5002518; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002519; sid: 5002519; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002520; sid: 5002520; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002521; sid: 5002521; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002522; sid: 5002522; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002523; sid: 5002523; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002524; sid: 5002524; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; event_id: 4771,4768,675,676,681; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002525; sid: 5002525; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; event_id: 4771,4768,675,676,681; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002526; sid: 5002526; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; event_id: 4771,4768,675,676,681; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002527; sid: 5002527; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; event_id; 4771,4768,675,676,681; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002528; sid: 5002528; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; event_id: 4771,4768,675,676,681; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002529; sid: 5002529; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; event_id: 4771,4768,675,676,681; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002530; sid: 5002530; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002531; sid: 5002531; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; event_id:4771,4768,675,676,681; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002532; sid: 5002532; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002533; sid: 5002533; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002534; sid: 5002534; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002535; sid: 5002535; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002536; sid: 5002536; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002537; sid: 5002537; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002538; sid: 5002538; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002539; sid: 5002539; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002540; sid: 5002540; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002541; sid: 5002541; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002542; sid: 5002542; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002543; sid: 5002543; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002544; sid: 5002544; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002545; sid: 5002545; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002546; sid: 5002546; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002547; sid: 5002547; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002548; sid: 5002548; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002549; sid: 5002549; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002550; sid: 5002550; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002551; sid: 5002551; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002552; sid: 5002552; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002553; sid: 5002553; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002554; sid: 5002554; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002555; sid: 5002555; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002556; sid: 5002556; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; event_id:,4771,4768,675,676,681; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002557; sid: 5002557; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002558; sid: 5002558; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002559; sid: 5002559; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002560; sid: 5002560; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; event_id: 4771,4768,675,676,681; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002561; sid: 5002561; rev:7;)
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化