rules/apache.rules0000644000000000000000000001460511460047376013221 0ustar rootroot# Sagan apache.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for you to receive Apache logs via syslog, you'll need change your "CustomLog" configuration # entry in your Apache config to something like: # # CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"[APACHE] Apache segmentation fault"; content: "signal Segmentation Fault"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000155; sid:5000155; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Attempt to access forbidden file or directory"; content: "denied by server configuration"; classtype: permissions-violation ; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000156; sid:5000156; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Attempt to access forbidden directory index"; content: "Directory index forbidden by rule"; classtype: permissions-violation; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000157; sid:5000157; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Client sent malformed Host header"; content: "Client sent malformed Host header"; classtype: string-detect; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000158; sid:5000158; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache User authentication failed"; content: "authentication failed"; nocase; classtype: unsuccessful-user; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000159; sid:5000159; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; classtype: unsuccessful-user; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000160; sid:5000160; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; classtype: suspicious-filename-detect; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000161; sid:5000161; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; classtype: suspicious-filename-detect; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000378; sid:5000378; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Invalid URI in request"; content: "Invalid URI in request"; classtype: suspicious-traffic; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000162; sid:5000162; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; classtype: suspicious-filename-detect; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000163; sid:5000163; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; classtype: web-application-attack; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000165; sid:5000165; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache Resource temporarily unavailable"; content: "Resource temporarily unavailable"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000166; sid:5000166; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache directory attempt"; content: "?C=S;O=A"; classtype: suspicious-traffic; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000359; sid: 5000359; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache directory attempt"; content: "?C=M;O=A"; classtype: suspicious-traffic; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000360; sid: 5000360; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache robots.txt access"; content: "robots.txt"; classtype: unknown; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000361; sid: 5000361; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache phpinfo access attempt"; content: "phpinfo"; classtype: attempted-recon; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000362; sid: 5000362; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[APACHE] Apache php-my-admin access attempt"; pcre: "/php-my-admin|phpmyadmin/"; classtype: web-application-attack; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000364; sid: 5000364; rev:1;) rules/arp.rules0000644000000000000000000000751111460047376012560 0ustar rootroot# Sagan arp.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # "arpalert" rules - http://www.arpalert.org alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARP] arpalert - Detected new machine on the network"; content: "type=new"; classtype: suspicious-traffic; program: arpalert; reference: url,wiki.softwink.com/bin/view/Main/5000060; sid: 5000060; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected ip change"; content: "type=ip_change"; classtype: suspicious-traffic; program: arpalert; reference: url,wiki.softwink.com/bin/view/Main/5000061; sid: 5000061; rev:1;) # "arpwatch" rules - http://en.wikipedia.org/wiki/Arpwatch alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected new machine on the network"; content: "new station"; classtype: suspicious-traffic; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000062; sid: 5000062; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - 'flip flop' message."; content: "flip flop "; classtype: suspicious-traffic; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000063; sid: 5000063; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Exiting"; content: "reaper: pid"; classtype: program-error; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000064; sid: 5000064; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Changed network interface for IP address"; content: "changed ethernet address"; classtype: suspicious-traffic; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000065; sid: 5000065; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Startup/Exiting message"; pcre: "/exiting|Running as/"; classtype: not-suspicious; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000066; sid: 5000066; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected bad address len - ignored"; content: "sent bad addr len"; classtype: network-event; program: arpwatch; reference: url,wiki.softwink.com/bin/view/Main/5000067; sid: 5000067; rev:1;) rules/asterisk.rules0000644000000000000000000000623311460047376013623 0ustar rootroot# Sagan asterisk.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "WARN"; classtype: program-error; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000176; sid:5000176; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "ERROR"; classtype: program-error; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000177; sid:5000177; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Notice message"; content: "NOTICE"; classtype: program-error; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000178; sid:5000178; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed"; content: "Wrong password"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000179; sid:5000179; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid user]"; content: "Username/auth name mismatch"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000180; sid:5000180; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid extension]"; content: "No matching peer found"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.softwink.com/bin/view/Main/5000181; sid:5000181; rev:1;) rules/attack.rules0000644000000000000000000000745211460047376013251 0ustar rootroot# Sagan attack.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on rpc.statd"; pcre: "/gethostbyname error for \W+/"; classtype: exploit-attempt; program: rpc.statd; reference: url,wiki.softwink.com/bin/view/Main/5000095; sid:5000095; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on WU-FTPD version prior to 2.6" ; pcre: "/\S+ FTP LOGIN FROM \.+ 0bin0sh/"; classtype: exploit-attempt; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000096; sid:5000096; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt"; content: "?????????????????????"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000097; sid:5000097; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] 'Null' user change some information"; content: "changed by"; content: "null"; classtype: exploit-attempt; reference: url,wiki.softwink.com/bin/view/Main/5000098; sid:5000098; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [yppasswd?]" ; content: "@@@@@@@@@@@@@@@@@@@@@@@@@"; classtype: exploit-attempt; reference: url,wiki.softwink.com/bin/view/Main/5000356; sid:5000365; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Heap overflow in the Solaris cachefsd service" ; content: "Segmentation Fault"; content: "core dumped"; program: cachefsd; classtype: exploit-attempt; reference: url,wiki.softwink.com/bin/view/Main/5000366; sid:5000366; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Stack overflow attempt with SEGV [Solaris]"; content: "attempt to execute code on stack by"; nocase; classtype: exploit-attempt; reference: url,wiki.softwink.com/bin/view/Main/5000099; sid:5000099; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [NOOP]" ; content: "AAAAAAAAAAAAAAAAAAAAAAAAA"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000100; sid:5000100; rev:1;) rules/bash.rules0000644000000000000000000001426611460047376012720 0ustar rootroot# Sagan bash.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following rules require bash to be compiled with syslog history support. With out this, there is no way # for sagan to "see" what users type. For more information, see: # # http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/ # # Gentoo users can rebuild bash with the "logger" USE flag. # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] ./a.out execution attempt"; content:"./a.out"; content:"HISTORY";classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000000; program: "bash|-bash"; sid:5000000; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] gcc execution"; content:"gcc "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000001; program: "bash|-bash"; sid:5000001; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet execution"; content:"telnet "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000002; program: "bash|-bash"; sid:5000002; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] nmap execution"; content:"nmap "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000003; program: "bash|-bash"; sid:5000003; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/passwd access"; content:"/etc/passwd"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000004; program: "bash|-bash"; sid:5000004; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/shadow access"; content:"/etc/shadow"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000005; program: "bash|-bash"; sid:5000005; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000006; program: "bash|-bash"; sid:5000006; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000007; program: "bash|-bash"; sid:5000007; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/sh command line call"; content:"/bin/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000008; program: "bash|-bash"; sid:5000008; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/bash command line call"; content:"/bin/bash"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000009; program: "bash|-bash"; sid:5000009; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] HISTORY=/dev/null"; content:"HISTORY=/dev/null"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000010; program: "bash|-bash"; sid:5000010; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .bash_history access"; content:".bash_history"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000011; program: "bash|-bash"; sid:5000011; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /tmp/sh access"; content:"/tmp/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000012; program: "bash|-bash"; sid:5000012; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] suidperl access"; content:"suidperl"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000013; program: "bash|-bash"; sid:5000013; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] histfile=/dev/null"; content:"histfile=/dev/null"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000014; program: "bash|-bash"; sid:5000014; level: info; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] iptables command access"; content:"iptables"; content: "HISTORY"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000385; program: "bash|-bash"; sid:5000385; level: info; rev:2;) rules/bind.rules0000644000000000000000000001165011460047433012703 0ustar rootroot# Sagan bind.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Invalid DNS packet. Possible attack" ; content: "dropping source port zero packet from"; classtype: exploit-attempt; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000101; sid:5000101; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Denied zone transfer attempt"; content: "denied AXFR from"; classtype: attempted-recon; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000102; sid:5000102; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] DNS update denied"; pcre: "/denied update from|unapproved update from/"; classtype: attempted-recon; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000103; sid:5000103; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Log permission misconfiguration"; content: "unable to rename log file"; classtype: program-error; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000104; sid:5000104; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Unexpected error [RCODE] while resolving domain"; content: "unexpected RCODE"; classtype: suspicious-traffic; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000164; sid:5000164; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Refused notify from non-master"; content: "refused notify from non-master"; parse_port_simple; classtype: attempted-recon; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000105; sid:5000105; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] DNS update using RFC2136 Dynamic protocol denied"; pcre: "/update \S+ denied/"; classtype: suspicious-traffic; program: named; parse_port_simple; parse_ip_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000106; sid:5000106; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Query cache denied"; content: "query"; content: "cache"; content: "denied"; classtype: attempted-recon; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000107; sid:5000107; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Named fatal error. DNS service is going down"; content: "exiting"; content: "due to fatal error"; classtype: program-error; program: named; reference: url,wiki.softwink.com/bin/view/Main/5000108; sid:5000108; rev: 2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Serial number from master is lower than stored"; pcre: "/^zone \S+ serial number \S+ received from master \S+ \S ours/"; classtype: configuration-error; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000109; sid:5000109; rev: 2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[BIND] Zone transfer error"; pcre: "/^zone \S+: expired/"; classtype: configuration-error; program: named; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000110; sid:5000110; rev: 2;) rules/bro-ids.rules0000644000000000000000000000567311460047376013344 0ustar rootroot# Sagan bro-ids.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Submitted by Brad Doctor (July 2nd, 2010). For more information see # http://www.bro-ids.org/ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Successful Password Guessing"; content: "SuccessfulPasswordGuessing"; classtype: attempted-recon; sid: 5000883; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Protocol Violation"; content: "ProtocolViolation"; classtype: attempted-recon; sid: 5000884; threshold: type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Login"; content: "SensitiveLogin"; classtype: attempted-recon; sid: 5000885; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Connection"; content: "SensitiveConnection"; classtype: attempted-recon; sid: 5000886; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Username in password"; content: "SensitiveUsernameInPassword"; classtype: attempted-recon; sid: 5000887; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) rules/cisco-ios.rules0000644000000000000000000000744511460047376013674 0ustar rootroot# Sagan cisco-ios.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "[CISCO-IOS] SNMP Authentication Failure"; content: "SNMP-3-AUTHFAIL"; classtype: attempted-recon; reference: url,wiki.softwink.com/bin/view/Main/5000051; sid: 5000051; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; classtype: unsuccessful-user; reference: url,wiki.softwink.com/bin/view/Main/5000052; sid: 5000052; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; reference: url,wiki.softwink.com/bin/view/Main/5000053; sid: 5000053; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; reference: url,wiki.softwink.com/bin/view/Main/5000054; sid: 5000054; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000055; sid: 5000055; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ISO configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000111; sid:5000111; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000112; sid:5000112; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000113; sid:5000113; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000388; sid:5000388; rev:2;) rules/cisco-pixasa.rules0000644000000000000000000034745711460047376014401 0ustar rootroot# Sagan cisco-pixasa.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize 4GE SSM I/O card"; content: "%ASA-1-114001:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000416; sid: 5000416; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card"; content: "%ASA-1-114002:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000417; sid: 5000417; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card"; content: "%ASA-1-114003:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000418; sid: 5000418; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function"; content: "%ASA-1-216001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000419; sid: 5000419; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED"; content: "%ASA-2-113022:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000420; sid: 5000420; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in - function message"; content: "%ASA-2-216001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000421; sid: 5000421; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance"; content: "%ASA-2-716500:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000422; sid: 5000422; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance"; content: "%ASA-2-716501:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000423; sid: 5000423; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena"; content: "%ASA-2-716502:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000424; sid: 5000424; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool"; content: "%ASA-2-716503:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000425; sid: 5000425; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool"; content: "%ASA-2-716504:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000426; sid: 5000426; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state"; content: "%ASA-2-716505:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000427; sid: 5000427; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating"; content: "%ASA-2-716507:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000428; sid: 5000428; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating"; content: "%ASA-2-716508:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000429; sid: 5000429; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating"; content: "%ASA-2-716509:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000430; sid: 5000430; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating"; content: "%ASA-2-716510:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000431; sid: 5000431; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else"; content: "%ASA-2-716512:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000432; sid: 5000432; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel"; content: "%ASA-2-716513:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000433; sid: 5000433; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance"; content: "%ASA-2-716515:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000434; sid: 5000434; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating"; content: "%ASA-2-716516:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000435; sid: 5000435; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena"; content: "%ASA-2-716517:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000436; sid: 5000436; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena"; content: "%ASA-2-716518:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000437; sid: 5000437; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating"; content: "%ASA-2-716519:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000438; sid: 5000438; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no block list"; content: "%ASA-2-716520:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000439; sid: 5000439; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool"; content: "%ASA-2-716521:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000440; sid: 5000440; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block"; content: "%ASA-2-716522:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000441; sid: 5000441; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL"; content: "%ASA-2-716526:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000442; sid: 5000442; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL"; content: "%ASA-2-716527:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000443; sid: 5000443; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected fiber scheduler error; possible out-of-memory condition"; content: "%ASA-2-716528:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000444; sid: 5000444; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card"; content: "%ASA-3-114006:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000445; sid: 5000445; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card"; content: "%ASA-3-114007:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000446; sid: 5000446; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card"; content: "%ASA-3-114008:"; classtype: hardware-error; reference: url, wiki.softwink.com/bin/view/Main/5000447; sid: 5000447; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card"; content: "%ASA-3-114009:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000448; sid: 5000448; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card"; content: "%ASA-3-114010:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000449; sid: 5000449; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card"; content: "%ASA-3-114011:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000450; sid: 5000450; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card"; content: "%ASA-3-114012:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000451; sid: 5000451; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card"; content: "%ASA-3-114013:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000452; sid: 5000452; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card"; content: "%ASA-3-114014:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000453; sid: 5000453; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card"; content: "%ASA-3-114015:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000454; sid: 5000454; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card"; content: "%ASA-3-114016:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000455; sid: 5000455; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card"; content: "%ASA-3-114017:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000456; sid: 5000456; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card"; content: "%ASA-3-114018:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000457; sid: 5000457; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card"; content: "%ASA-3-114019:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000458; sid: 5000458; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function message"; content: "%ASA-3-216001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000459; sid: 5000459; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] I2C_API_name error"; content: "%ASA-3-219002:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000460; sid: 5000460; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPN Handle error protocol"; content: "%ASA-3-316002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000461; sid: 5000461; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot experienced a control channel communications failure"; content: "%ASA-3-323001:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000462; sid: 5000462; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use"; content: "%ASA-3-323004:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000463; sid: 5000463; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot can not be powered on completely"; content: "%ASA-3-323005:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000464; sid: 5000464; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN"; content: "%ASA-3-323006:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000465; sid: 5000465; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1]"; content: "%ASA-3-420001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000466; sid: 5000466; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2]"; content: "%ASA-3-420001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000467; sid: 5000467; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed"; content: "%ASA-3-421001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000468; sid: 5000468; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed"; content: "%ASA-3-421007:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000469; sid: 5000469; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication to SSO server failed"; content: "%ASA-3-716056:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000470; sid: 5000470; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error"; content: "%ASA-3-719002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000471; sid: 5000471; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [1]"; content: "%ASA-3-722007:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000472; sid: 5000472; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [2]"; content: "%ASA-3-722008:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000473; sid: 5000473; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [3]"; content: "%ASA-3-722009:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000474; sid: 5000474; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to shut down. Module Error"; content: "%ASA-4-413001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000475; sid: 5000475; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to reload. Module Error"; content: "%ASA-4-413002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000476; sid: 5000476; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Trying again"; content: "%ASA-4-413004:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000477; sid: 5000477; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS requested to drop ICMP packets"; content: "%ASA-4-420002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000478; sid: 5000478; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt"; content: "%ASA-4-423001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000479; sid: 5000479; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt"; content: "%ASA-4-423002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000480; sid: 5000480; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt"; content: "%ASA-4-423003:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000481; sid: 5000481; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt"; content: "%ASA-4-423004:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000482; sid: 5000482; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt"; content: "%ASA-4-423005:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000483; sid: 5000483; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state"; content: "%ASA-4-424001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000484; sid: 5000484; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection to the backup interface is denied"; content: "%ASA-4-424002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000485; sid: 5000485; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic, licensed host limit exceeded."; content: "%ASA-4-450001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000486; sid: 5000486; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Received DH key with bad length"; content: "%ASA-4-713240:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000487; sid: 5000487; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI"; content: "%ASA-4-713247:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000488; sid: 5000488; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Received authentication failure message"; content: "%ASA-4-713251:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000489; sid: 5000489; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager"; content: "%ASA-4-720001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000490; sid: 5000490; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager"; content: "%ASA-4-720007:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000491; sid: 5000491; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework"; content: "%ASA-4-720008:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000492; sid: 5000492; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to create version control block"; content: "%ASA-4-720009:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000493; sid: 5000493; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate memory"; content: "%ASA-4-720011:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000494; sid: 5000494; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point"; content: "%ASA-4-720013:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000495; sid: 5000495; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue"; content: "%ASA-4-720033:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000496; sid: 5000496; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit"; content: "%ASA-4-720043:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000497; sid: 5000497; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit"; content: "%ASA-4-720044:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000498; sid: 5000498; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit"; content: "%ASA-4-720047:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000499; sid: 5000499; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit"; content: "%ASA-4-720051:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000500; sid: 5000500; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit"; content: "%ASA-4-720052:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000501; sid: 5000501; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync"; content: "%ASA-4-720053:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000502; sid: 5000502; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record"; content: "%ASA-4-720054:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000503; sid: 5000503; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode"; content: "%ASA-4-720055:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000504; sid: 5000504; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP database"; content: "%ASA-4-720064:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000505; sid: 5000505; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule"; content: "%ASA-4-720065:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000506; sid: 5000506; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate IKE database"; content: "%ASA-4-720066:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000507; sid: 5000507; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database"; content: "%ASA-4-720067:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000508; sid: 5000508; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to parse peer message"; content: "%ASA-4-720068:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000509; sid: 5000509; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database"; content: "%ASA-4-720069:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000510; sid: 5000510; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database"; content: "%ASA-4-720070:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000511; sid: 5000511; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit"; content: "%ASA-4-720073:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000512; sid: 5000512; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error parsing SVC connect request"; content: "%ASA-4-722001:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000513; sid: 5000513; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error consolidating SVC connect request."; content: "%ASA-4-722002:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000514; sid: 5000514; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error authenticating SVC connect request"; content: "%ASA-4-722003:"; classtype: unsuccessful-admin; reference: url, wiki.softwink.com/bin/view/Main/5000515; sid: 5000515; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error responding to SVC connect request"; content: "%ASA-4-722004:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000516; sid: 5000516; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC frame length length expected"; content: "%ASA-4-722016:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000517; sid: 5000517; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC framing 525446, reserved 0"; content: "%ASA-4-722017:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000518; sid: 5000518; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC protocol version"; content: "%ASA-4-722018:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000519; sid: 5000519; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed"; content: "%ASA-5-402128:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000520; sid: 5000520; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication"; content: "%ASA-5-713248:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000521; sid: 5000521; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client"; content: "%ASA-5-713252:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000522; sid: 5000522; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client"; content: "%ASA-5-713253:"; classtype: successful-user; reference: url, wiki.softwink.com/bin/view/Main/5000523; sid: 5000523; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize default timer"; content: "%ASA-5-720016:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000525; sid: 5000525; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data"; content: "%ASA-5-720017:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000526; sid: 5000526; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem"; content: "%ASA-5-720018:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000527; sid: 5000527; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics"; content: "%ASA-5-720019:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000528; sid: 5000528; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type timer message"; content: "%ASA-5-720020:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000529; sid: 5000529; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code."; content: "%ASA-5-720021:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000530; sid: 5000530; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle"; content: "%ASA-5-720035:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000531; sid: 5000531; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer"; content: "%ASA-5-720036:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000532; sid: 5000532; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data"; content: "%ASA-5-720071:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000533; sid: 5000533; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available"; content: "%ASA-5-720072:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000534; sid: 5000534; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address"; content: "%ASA-6-402129:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000535; sid: 5000535; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN access DENIED to specified location url"; content: "%ASA-6-716004:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000536; sid: 5000536; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN ACL Parse Error"; content: "%ASA-6-716005:"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000537; sid: 5000537; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error"; content: "%ASA-6-716009:"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000538; sid: 5000538; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login"; content: "%ASA-6-716040:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000539; sid: 5000539; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding to ACL"; content: "%ASA-6-716050:"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000540; sid: 5000540; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding dynamic ACL for user"; content: "%ASA-6-716051:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000541; sid: 5000541; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy feature is disabled on interface"; content: "%ASA-6-719010:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000542; sid: 5000542; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization failed"; content: "%ASA-6-719019:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000543; sid: 5000543; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization completed successfully"; content: "%ASA-6-719020:"; classtype: successful-user; reference: url, wiki.softwink.com/bin/view/Main/5000544; sid: 5000544; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied"; content: "%ASA-6-719023:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000545; sid: 5000545; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy piggyback auth fail session"; content: "%ASA-6-719024:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000546; sid: 5000546; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname"; content: "%ASA-6-719025:"; classtype: configuration-errorn; reference: url, wiki.softwink.com/bin/view/Main/5000547; sid: 5000547; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem"; content: "%ASA-6-720002:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000548; sid: 5000548; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully"; content: "%ASA-6-720003:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000549; sid: 5000549; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover main thread started"; content: "%ASA-6-720004:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000550; sid: 5000550; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover timer thread started"; content: "%ASA-6-720005:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000551; sid: 5000551; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover sync thread started"; content: "%ASA-6-720006:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000552; sid: 5000552; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled"; content: "%ASA-6-720010:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000553; sid: 5000553; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit"; content: "%ASA-6-720012:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000554; sid: 5000554; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state"; content: "%ASA-6-720039:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000555; sid: 5000555; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state"; content: "%ASA-6-720040:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000556; sid: 5000556; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled"; content: "%ASA-6-720056:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000557; sid: 5000557; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled"; content: "%ASA-6-720058:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000559; sid: 5000559; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled."; content: "%ASA-6-720060:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000561; sid: 5000561; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Global Compression Disabled"; content: "%ASA-6-722025:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000563; sid: 5000563; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Device failed SSL handshake"; content: "%ASA-6-725006:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000564; sid: 5000564; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to inject {TCP|UDP} packet"; content: "%ASA-7-421004:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000565; sid: 5000565; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File access DENIED, filename"; content: "%ASA-7-716021:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000566; sid: 5000566; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse the network"; content: "%ASA-7-716024:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000567; sid: 5000567; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse domain domain"; content: "%ASA-7-716025:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000568; sid: 5000568; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse directory"; content: "%ASA-7-716026:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000569; sid: 5000569; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to view file"; content: "%ASA-7-716027:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000570; sid: 5000570; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove file"; content: "%ASA-7-716028:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000571; sid: 5000571; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to rename file"; content: "%ASA-7-716029:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000572; sid: 5000572; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to modify file"; content: "%ASA-7-716030:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000573; sid: 5000573; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create file"; content: "%ASA-7-716031:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000574; sid: 5000574; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create folder"; content: "%ASA-7-716032:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000575; sid: 5000575; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove folder"; content: "%ASA-7-716033:"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000576; sid: 5000576; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File Access User failed to login into the server"; content: "%ASA-7-716037:"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000577; sid: 5000577; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination"; content: "%ASA-7-722030:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000579; sid: 5000579; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination Out"; content: "%ASA-7-722031:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000580; sid: 5000580; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow"; content: "%ASA-7-723004:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000581; sid: 5000581; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix SOCKS errors"; content: "%ASA-7-723006:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000582; sid: 5000582; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length"; content: "%ASA-7-723011:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000583; sid: 5000583; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format"; content: "%ASA-7-723012:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000584; sid: 5000584; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL lib error"; content: "%ASA-7-725014:"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000585; sid: 5000585; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dynamic DNS Update failed"; content: "3-331001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000586; sid: 5000586; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Switching to ACTIVE";content: "%ASA-1-104001:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000587; sid: 5000587; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]."; content: "%ASA-1-104002:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000588; sid: 5000588; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED"; content: "%ASA-1-104003:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000589; sid: 5000589; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK."; content: "%ASA-1-104004:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000590; sid: 5000590; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit"; content: "%ASA-1-105037:"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000591; sid: 5000591; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test"; content: "2-218004:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000592; sid: 5000592; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable OK"; content: "1-101001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000595; sid: 5000595; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Bad failover cable"; content: "1-101002:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000596; sid: 5000596; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [this unit]"; content: "1-101003:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000597; sid: 5000597; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [other unit]"; content: "1-101004:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000598; sid: 5000598; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Error reading failover cable status"; content: "1-101005:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000599; sid: 5000599; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Power failure/System reload other side"; content: "1-102001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000600; sid: 5000600; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] No response from other firewall"; content: "1-103001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000601; sid: 5000601; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface OK"; content: "1-103002:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000602; sid: 5000602; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface failed"; content: "1-103003:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000603; sid: 5000603; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reports this firewall failed"; content: "1-103004:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000604; sid: 5000604; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reporting failure"; content: "1-103005:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000605; sid: 5000605; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to ACTIVE"; content: "1-104001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000606; sid: 5000606; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to STNDBY"; content: "1-104002:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000607; sid: 5000607; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to FAILED"; content: "1-104003:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000608; sid: 5000608; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to OK"; content: "1-104004:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000609; sid: 5000609; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Disabling failover"; content: "1-105001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000610; sid: 5000610; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Enabling failover"; content: "1-105002:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000611; sid: 5000611; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface"; content: "1-105005:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000612; sid: 5000612; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable communication failure"; content: "1-105011:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000614; sid: 5000614; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config"; content: "1-105021:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000615; sid: 5000615; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failover LAN interface is up"; content: "1-105031:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000616; sid: 5000616; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LAN Failover interface is down"; content: "1-105032:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000617; sid: 5000617; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer"; content: "1-105034:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000618; sid: 5000618; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN failover interface down msg from peer"; content: "1-105035:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000619; sid: 5000619; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] dropped a LAN Failover command message"; content: "1-105036:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000620; sid: 5000620; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate"; content: "1-105039:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000621; sid: 5000621; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Mate failover version is not compatible"; content: "1-105040:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000622; sid: 5000622; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface OK"; content: "1-105042:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000623; sid: 5000623; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface failed"; content: "1-105043:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000624; sid: 5000624; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol reverse path check"; content: "1-106021:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000625; sid: 5000625; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol connection spoof"; content: "1-106022:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000626; sid: 5000626; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The number of ACL log deny-flows has reached limit"; content: "1-106101:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000627; sid: 5000627; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP auth failed"; content: "1-107001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000628; sid: 5000628; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP pkt failed"; content: "1-107002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000629; sid: 5000629; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound TCP connection denied"; content: "2-106001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000631; sid: 5000631; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection denied by outbound ACL"; content: "2-106002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000632; sid: 5000632; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP"; content: "2-106006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000633; sid: 5000633; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query}"; content: "2-106007:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000634; sid: 5000634; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping echo request"; content: "2-106013:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000635; sid: 5000635; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP spoof"; content: "2-106016:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000636; sid: 5000636; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP due to Land Attack"; content: "2-106017:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000637; sid: 5000637; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ICMP denied by outbound ACL"; content: "2-106018:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000638; sid: 5000638; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP teardrop fragment"; content: "2-106020:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000639; sid: 5000639; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad route_compress"; content: "2-215001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000640; sid: 5000640; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test in slot"; content: "2-218001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000641; sid: 5000641; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[CISCO-PIXASA] Dropped DNS responses with mis-matched id"; content: "2-410002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000642; sid: 5000642; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Configuration replication failed for command"; content: "2-709007:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error ; reference: url, wiki.softwink.com/bin/view/Main/5000643; sid: 5000643; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected event"; content: "2-717011:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000644; sid: 5000644; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover message block alloc failed"; content: "3-105010:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000645; sid: 5000645; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound protocol"; content: "3-106010:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000646; sid: 5000646; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound [No xlate]"; content: "3-106011:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000647; sid: 5000647; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound ICMP"; content: "3-106014:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000648; sid: 5000648; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [too many pending auths]"; content: "3-109010:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000649; sid: 5000649; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Can't find authorization ACL for user"; content: "3-109016:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000650; sid: 5000650; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has parsing error"; content: "3-109019:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000651; sid: 5000651; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has config error"; content: "3-109020:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000652; sid: 5000652; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to install ACL, downloaded for user"; content: "3-109032:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000653; sid: 5000653; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds"; content: "3-113020:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000654; sid: 5000654; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[CISCO-PIXASA] FTP data connection failed"; content: "3-201005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000655; sid: 5000655; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-PIXASA] RCMD backconnection failed "; content: "3-201006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000656; sid: 5000656; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU sw_module_name error"; content: "3-210001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000657; sid: 5000657; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate block [bytes] failed"; content: "3-210002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000658; sid: 5000658; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate connection failed"; content: "3-210005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000659; sid: 5000659; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU look NAT failed"; content: "3-210006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000660; sid: 5000660; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate xlate failed"; content: "3-210007:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000661; sid: 5000661; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU make UDP connection for outside to inside failed"; content: "3-210010:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000662; sid: 5000662; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU PAT port reserve failed"; content: "3-210020:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000663; sid: 5000663; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU create static xlate interface failed"; content: "3-210021:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000664; sid: 5000664; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Memory allocation Error"; content: "3-211001:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000665; sid: 5000665; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP channel"; content: "3-212001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000666; sid: 5000666; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP trap channel"; content: "3-212002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000667; sid: 5000667; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "[CISCO-PIXASA] Unable to receive an SNMP request on interface"; content: "3-212003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000668; sid: 5000668; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "[CISCO-PIXASA] Unable to send an SNMP response"; content: "3-212004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000669; sid: 5000669; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "[CISCO-PIXASA] Dropping SNMP request"; content: "3-212006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000670; sid: 5000670; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPTP tunnel hashtable insert failed"; content: "3-213002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000671; sid: 5000671; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPP virtual interface client ip allocation failed"; content: "3-213004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000672; sid: 5000672; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H.323 library_name ASN Library failed to initialize"; content: "3-302019:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000673; sid: 5000673; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ACL = deny; no sa created"; content: "3-302302:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000674; sid: 5000674; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed"; content: "3-305006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000675; sid: 5000675; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; content: "3-313001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000676; sid: 5000676; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMPv6"; content: "3-313008:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000677; sid: 5000677; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed"; content: "3-315004:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000678; sid: 5000678; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied new tunnel limit exceeded"; content: "3-316001:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000679; sid: 5000679; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP routing table creation failure"; content: "3-317003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000681; sid: 5000681; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; content: "3-318001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000682; sid: 5000682; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Arp update for IP address address to NPn failed"; content: "3-319003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000683; sid: 5000683; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Route update for IP address failed"; content: "3-319004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000684; sid: 5000684; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny MAC address possible spoof attempt"; content: "3-322001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000685; sid: 5000685; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [1]"; content: "3-322002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000686; sid: 5000686; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [2]"; content: "3-322003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000687; sid: 5000687; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] GSN tunnel limit exceeded"; content: "3-324006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000690; sid: 5000690; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Radius Accounting Request has a bad header length"; content: "3-324301:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000691; sid: 5000691; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected error in the timer library"; content: "3-326001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000692; sid: 5000692; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; content: "3-326002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000693; sid: 5000693; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; content: "3-326004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000694; sid: 5000694; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Mrib notification failed"; content: "3-326005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000695; sid: 5000695; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-creation failed"; content: "3-326006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000696; sid: 5000696; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-update failed"; content: "3-326007:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000697; sid: 5000697; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB registration failed"; content: "3-326008:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000698; sid: 5000698; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB connection-open failed"; content: "3-326009:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000699; sid: 5000699; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB unbind failed"; content: "3-326010:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000700; sid: 5000700; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB table deletion failed"; content: "3-326011:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000701; sid: 5000701; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization of string functionality failed"; content: "3-326012:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000702; sid: 5000702; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; content: "3-326013:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000703; sid: 5000703; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization failed"; content: "3-326014:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000704; sid: 5000704; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Communication error"; content: "3-326015:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000705; sid: 5000705; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set un-numbered interface"; content: "3-326016:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000706; sid: 5000706; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Interface Manager error"; content: "3-326017:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000707; sid: 5000707; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] List error"; content: "3-326020:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000708; sid: 5000708; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; content: "3-326021:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000709; sid: 5000709; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; content: "3-326022:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000710; sid: 5000710; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; content: "3-326024:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000711; sid: 5000711; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Server unexpected error"; content: "3-326026:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000712; sid: 5000712; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Corrupted update"; content: "3-326027:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000713; sid: 5000713; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asynchronous error"; content: "3-326028:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000714; sid: 5000714; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work"; content: "3-327002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000715; sid: 5000715; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize"; content: "3-327003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000716; sid: 5000716; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped"; content: "3-403501:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000717; sid: 5000717; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet"; content: "3-403502:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000718; sid: 5000718; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group"; content: "3-403507:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000719; sid: 5000719; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[CISCO-PIXASA] Failed to save logging buffer using filename to FTP server"; content: "3-414001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000720; sid: 5000720; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename"; content: "3-414002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000721; sid: 5000721; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Packet denied"; content: "3-610001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000722; sid: 5000722; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Authentication failed"; content: "3-610002:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000723; sid: 5000723; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Backup Server List Error"; content: "3-611313:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000724; sid: 5000724; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error processing payload"; content: "3-713048:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000725; sid: 5000725; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed"; content: "3-713059:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000726; sid: 5000726; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User not member of group, check failed"; content: "3-713060:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000727; sid: 5000727; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to retrieve identity certificate"; content: "3-713082:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000728; sid: 5000728; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group"; content: "3-713088:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000729; sid: 5000729; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Request attempt failed!"; content: "3-713107:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000730; sid: 5000730; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to process CONNECTED notify!"; content: "3-713112:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000731; sid: 5000731; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel"; content: "3-713141:"; pcre: "/%PIX-|%ASA-/"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000732; sid: 5000732; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel"; content: "3-713142:"; pcre: "/%PIX-|%ASA-/"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000733; sid: 5000733; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access"; content: "3-713159:"; pcre: "/%PIX-|%ASA-/"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000734; sid: 5000734; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server"; content: "3-713161:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000735; sid: 5000735; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been rejected by the Firewall Server"; content: "3-713162:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000736; sid: 5000736; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been terminated by the Firewall Server"; content: "3-713163:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000737; sid: 5000737; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password"; content: "3-713166:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000738; sid: 5000738; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password"; content: "3-713167:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000739; sid: 5000739; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error Username too long - connection aborted"; content: "3-713185:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000740; sid: 5000740; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User Authorization failed"; content: "3-713198:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000741; sid: 5000741; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE Receiver Error reading from socket"; content: "3-713203:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000742; sid: 5000742; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection failed with peer, no trust-point defined"; content: "3-713226:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000743; sid: 5000743; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked"; content: "3-713230:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000744; sid: 5000744; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked"; content: "3-713231:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000745; sid: 5000745; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Querying keypair failed"; content: "3-717001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000746; sid: 5000746; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate enrollment failed for trustpoint"; content: "3-717002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000747; sid: 5000747; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate validation failed"; content: "3-717009:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000748; sid: 5000748; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRL polling failed for trustpoint"; content: "3-717010:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000749; sid: 5000749; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint"; content: "3-717012:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000750; sid: 5000750; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to query CA certificate for trustpoint"; content: "3-717017:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000751; sid: 5000751; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to insert CRL for trustpoint"; content: "3-717019:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000752; sid: 5000752; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL failed to set device certificate for trustpoint"; content: "3-717023:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000753; sid: 5000753; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate chain failed validation"; content: "3-717027:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000754; sid: 5000754; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol"; content: "4-106023:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000755; sid: 5000755; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan"; content: "4-106027:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000756; sid: 5000756; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username."; content: "4-109031:"; pcre: "/%PIX-|%ASA-/"; classtype: misc-attack; reference: url, wiki.softwink.com/bin/view/Main/5000757; sid: 5000757; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for admin user"; content: "4-109033:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-admin; reference: url, wiki.softwink.com/bin/view/Main/5000758; sid: 5000758; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for network user"; content: "4-109034:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000759; sid: 5000759; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; content: "4-313004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000760; sid: 5000760; rev: 1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No matching connection for ICMP error"; content: "4-313005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000761; sid: 5000761; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC Downloaded ACL parse failure"; content: "4-335005:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000762; sid: 5000762; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Shun add failed unable to allocate resources"; content: "4-401005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000763; sid: 5000763; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking"; content: "4-402119:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000764; sid: 5000764; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed authentication"; content: "4-402120:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000765; sid: 5000765; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command"; content: "4-402123:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.softwink.com/bin/view/Main/5000766; sid: 5000766; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE failed to assign PPP IP address"; content: "4-403506:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000767; sid: 5000767; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string"; content: "4-404101:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000768; sid: 5000768; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H225 message contains bad protocol discriminator hex"; content: "4-405103:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000769; sid: 5000769; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded"; content: "4-407001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000770; sid: 5000770; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg: "[CISCO-PIXASA] Dropped UDP SNMP packet"; content: "4-416001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000771; sid: 5000771; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Filter violation error conn number"; content: "4-417004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000772; sid: 5000772; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Through-the-device packet to/from management-only network is denied"; content: "4-418001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000773; sid: 5000773; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping TCP packet, reason MSS exceeded, MSS size, data size"; content: "4-419001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000774; sid: 5000774; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTP conformance Dropping RTP packet"; content: "4-431001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000775; sid: 5000775; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTCP conformance Dropping RTCP packet"; content: "4-431002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000776; sid: 5000776; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too small"; content: "4-608002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000777; sid: 5000777; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too large"; content: "4-608003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000778; sid: 5000778; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value not allowed"; content: "4-608004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000779; sid: 5000779; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value registration not complete"; content: "4-608005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000780; sid: 5000780; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; content: "4-612002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000781; sid: 5000781; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; content: "4-612003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000782; sid: 5000782; rev: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "[CISCO-PIXASA] DNS lookup for Server failed!"; content: "4-713154:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000783; sid: 5000783; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Name lookup failed for hostname during PKI operation"; content: "4-717026:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000784; sid: 5000784; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to find a suitable trustpoint for issuer"; content: "4-717031:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000785; sid: 5000785; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel group search using certificate maps failed"; content: "4-717037:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000786; sid: 5000786; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP address end configuration {FAILED|OK}"; content: "5-111004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000787; sid: 5000787; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection"; content: "5-303004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000788; sid: 5000788; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Access denied URL chars"; content: "5-304002:"; pcre: "/%PIX-|%ASA-/"; classtype: policy-violation; reference: url, wiki.softwink.com/bin/view/Main/5000789; sid: 5000789; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows"; content: "5-305013:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000790; sid: 5000790; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP association failed to establish"; content: "5-334003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000791; sid: 5000791; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP failed to get a response from host"; content: "5-334006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000792; sid: 5000792; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] HTTP - matched string in policy-map verification failed"; content: "5-415004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000793; sid: 5000793; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad TCP hdr length"; content: "5-500003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000794; sid: 5000794; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE area failed to find centry for message"; content: "5-713010:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000796; sid: 5000796; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision"; content: "5-713092:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000797; sid: 5000797; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Ignoring received malformed firewall record"; content: "5-713144:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000798; sid: 5000798; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create peer failure, already at maximum of number of peers"; content: "5-718002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000800; sid: 5000800; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to send to IP"; content: "5-718005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000801; sid: 5000801; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket open failure"; content: "5-718007:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000802; sid: 5000802; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket bind failure"; content: "5-718008:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000803; sid: 5000803; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO response failure"; content: "5-718009:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000804; sid: 5000804; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO request failure"; content: "5-718011:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000805; sid: 5000805; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send CFG UPDATE failure"; content: "5-718024:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000806; sid: 5000806; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send OOS indicator failure"; content: "5-718028:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000807; sid: 5000807; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send TOPOLOGY indicator failure"; content: "5-718033:"; pcre: "/%PIX-|%ASA-/"; classtype: configuration-error; reference: url, wiki.softwink.com/bin/view/Main/5000808; sid: 5000808; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create of secure tunnel failure"; content: "5-718048:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000809; sid: 5000809; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Delete of secure tunnel failure"; content: "5-718050:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000810; sid: 5000810; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Queue send failure from ISR"; content: "5-718057:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000811; sid: 5000811; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket select fail"; content: "5-718060:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000812; sid: 5000812; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket read fail"; content: "5-718061:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000813; sid: 5000813; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cannot continue to run"; content: "5-718065:"; pcre: "/%PIX-|%ASA-/"; classtype: hardware-failure; reference: url, wiki.softwink.com/bin/view/Main/5000814; sid: 5000814; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create access list for peer"; content: "5-718074:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000815; sid: 5000815; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create tunnel group for peer"; content: "5-718076:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000816; sid: 5000816; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete tunnel group for peer"; content: "5-718077:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000817; sid: 5000817; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto map for peer"; content: "5-718078:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000818; sid: 5000818; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto map for peer"; content: "5-718079:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000819; sid: 5000819; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto policy for peer"; content: "5-718080:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000820; sid: 5000820; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto policy for peer"; content: "5-718081:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000821; sid: 5000821; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to install LB NP rules"; content: "5-718086:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000822; sid: 5000822; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete LB NP rules"; content: "5-718087:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000823; sid: 5000823; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP"; content: "6-106012:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000824; sid: 5000824; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny TCP [no connection]"; content: "6-106015:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000825; sid: 5000825; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; content: "6-106025:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000826; sid: 5000826; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; content: "6-106026:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000827; sid: 5000827; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol"; content: "6-106100:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000828; sid: 5000828; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface"; content: "6-109002:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000829; sid: 5000829; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface"; content: "6-109003:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000830; sid: 5000830; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for user"; content: "6-109006:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000831; sid: 5000831; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization permitted for user"; content: "6-109007:"; pcre: "/%PIX-|%ASA-/"; classtype: successful-user; reference: url, wiki.softwink.com/bin/view/Main/5000832; sid: 5000832; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user from outside to inside on interface"; content: "6-109008:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000833; sid: 5000833; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied [not authenticated]"; content: "6-109024:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000834; sid: 5000834; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user"; content: "6-109025:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000835; sid: 5000835; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts"; content: "6-113006:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000836; sid: 5000836; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA unable to complete the request"; content: "6-113013:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000837; sid: 5000837; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] URL Server request failed URL"; content: "6-304004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000838; sid: 5000838; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP hdr failed"; content: "6-312001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000839; sid: 5000839; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No management IP address configured for transparent firewall"; content: "6-322004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000840; sid: 5000840; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC is disabled for host"; content: "6-335004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000841; sid: 5000841; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Login denied"; content: "6-605004:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000842; sid: 5000842; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization failed"; content ""6-610101:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000843; sid: 5000843; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed"; content: "6-611102:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000844; sid: 5000844; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VNPClient XAUTH Failed"; content: "6-611311:"; pcre: "/%PIX-|%ASA-/"; classtype: unsuccessful-user; reference: url, wiki.softwink.com/bin/view/Main/5000845; sid: 5000845; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled"; content: "6-611317:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000846; sid: 5000846; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient User Authentication Disabled"; content: "6-611319:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000847; sid: 5000847; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Device Pass Thru Disabled"; content: "6-611321:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000848; sid: 5000848; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled"; content: "6-611322:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000849; sid: 5000849; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Checksum Failure in database"; content: "6-613001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000850; sid: 5000850; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number not available for firewall interface"; content: "6-615001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000851; sid: 5000851; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number available for firewall interface"; content: "6-615002:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000852; sid: 5000852; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad register"; content: "6-621007:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000853; sid: 5000853; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet!"; content: "6-713235:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000854; sid: 5000854; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint"; content: "6-717003:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000855; sid: 5000855; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 export failed"; content: "6-717004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000856; sid: 5000856; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 import failed"; content: "6-717006:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000857; sid: 5000857; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] uauth_lookup_net fail for uauth_in"; content: "7-109014:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000858; sid: 5000858; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Uauth null proxy error"; content: "7-109021:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000859; sid: 5000859; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send failure"; content: "7-713039:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000861; sid: 5000861; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder!"; content: "7-713094:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000862; sid: 5000862; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation"; content: "7-713104:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000863; sid: 5000863; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Processing firewall record"; content: "7-713143:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000864; sid: 5000864; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been granted access by the Firewall Server"; content: "7-713160:"; pcre: "/%PIX-|%ASA-/"; classtype: successful-user; reference: url, wiki.softwink.com/bin/view/Main/5000865; sid: 5000865; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The Firewall Server has requested a list of active user sessions"; content: "7-713164:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000866; sid: 5000866; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Got bad refCnt assigning"; content: "7-713190:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000867; sid: 5000867; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine Q Send failure RetCode"; content: "7-715004:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000868; sid: 5000868; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine name Bad message code Cod"; content: "7-715005:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000869; sid: 5000869; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE received response to a request from the utility"; content: "7-715042:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000870; sid: 5000870; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ERROR malformed Keepalive payload"; content: "7-715045:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000871; sid: 5000871; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Claims to be IOS but failed authentication"; content: "7-715050:"; pcre: "/%PIX-|%ASA-/"; classtype: misc-attack; reference: url, wiki.softwink.com/bin/view/Main/5000872; sid: 5000872; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped received IKE fragment"; content: "7-715060:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000873; sid: 5000873; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous"; content: "7-715062:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000874; sid: 5000874; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE state_machine subtype FSM error history"; content: "7-715065:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000875; sid: 5000875; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal interprocess communication queue send failure"; content: "7-718001:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000876; sid: 5000876; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE request failure"; content: "7-718018:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000877; sid: 5000877; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE response failure"; content: "7-718020:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000878; sid: 5000878; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create group"; content: "7-718047:"; pcre: "/%PIX-|%ASA-/"; classtype: bad-unknown; reference: url, wiki.softwink.com/bin/view/Main/5000879; sid: 5000879; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Creation of group policy"; content: "7-718046"; pcre: "/%PIX-|%ASA-/"; classtype: system-event; reference: url, wiki.softwink.com/bin/view/Main/5000880; sid: 5000880; rev: 1;) rules/classification.config0000644000000000000000000001256011460047376015104 0ustar rootroot# Sagan classification.config # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #************************************************************* # Sagan specific classifications! #************************************************************* config classification: unsuccessful-admin,Unsuccessful Admin Privilege Gain,1 config classification: exploit-attempt,Exploit Attempt,1 config classification: program-error,Program Error,2 config classification: suspicious-command,Suspicious Command Execution,1 config classification: network-event,Network event,2 config classification: system-event,System event,2 config classification: configuration-change,Configuration Change,2 config classification: spam,Spam,3 config classification: permissions-violation,Attempted Access To File or Directory,3 config classification: suspicious-traffic,Suspicious Traffic,2 config classification: configuration-error,Configuration Error,2 config classification: hardware-event,Hardware Event,1 #************************************************************* # Snort's classifications #************************************************************* config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 #************************************************************* # NEW Snort's classifications #************************************************************* config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: unusual-client-port-connection,A client was using an unusual port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,access to a potentially vulnerable web application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: kickass-porn,SCORE! Get the lotion!,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 rules/courier.rules0000644000000000000000000000527011460047376013446 0ustar rootroot# Sagan courier.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Connection established"; content: "Connection,"; classtype: not-suspicious; program: courierlogger; reference: url,wiki.softwink.com/bin/view/Main/5000258; sid:5000258; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] IMAP/POP3 authentication failure"; content: "LOGIN FAILED,"; classtype: unsuccessful-user; program: courierlogger; reference: url,wiki.softwink.com/bin/view/Main/5000259; sid:5000259; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Logout/timeout"; pcre: "/LOGOUT|DISCONNECTED/"; classtype: not-suspicious; program: courierlogger; reference: url,wiki.softwink.com/bin/view/Main/5000260; sid:5000260; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] User login"; content: "LOGIN"; classtype: successful-user; program: courierlogger; reference: url,wiki.softwink.com/bin/view/Main/5000261; sid:5000261; rev:1;) rules/dovecot.rules0000644000000000000000000000563011460047376013441 0ustar rootroot# Sagan dovecot.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Authentication success"; content: "login"; content: "Login"; classtype: successful-user; program: dovecot; reference: url,wiki.softwink.com/bin/view/Main/5000264; sid:5000264; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Failed login"; content: "Password mismatch"; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.softwink.com/bin/view/Main/5000265; sid:5000265; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Starting up"; content: "starting up"; classtype: system-event; program: dovecot; reference: url,wiki.softwink.com/bin/view/Main/5000266; sid:5000266; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Fatal error"; content: "Fatal"; classtype: program-error; program: dovecot; reference: url,wiki.softwink.com/bin/view/Main/5000267; sid:5000267; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Invalid username"; pcre: "/user not found|User not known|unknown user/i"; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.softwink.com/bin/view/Main/5000268; sid:5000268; rev:1;) rules/fortinet.rules0000644000000000000000000005250011460047376013626 0ustar rootroot# Sagan fortinet.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These are mostly taken from Fortigate 4.0 Message reference manual. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Protect profile changed"; content: "32151 type="; content: "changed protection profile"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000898; sid: 5000898; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ICMP traffic disallowed"; content: "16003 type="; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000899; sid: 5000899; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login from LCD"; content: "32001 type="; content: "from LCD"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000900; sid: 5000900; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator Login"; content: "32001 type="; content: "logged in"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000901; sid: 5000901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login from LCD failed"; content: "32002 type="; content: "LCD failed"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000902; sid: 5000902; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failed"; content: "32002 type="; content: "login failed"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000903; sid: 5000903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] To many bad admin login attempts"; content: "32002 type="; content: "bad attempts"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000904; sid: 5000904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator logout"; content: "32003 type="; content: "action=logout"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000905; sid: 5000905; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] IPS error mode"; content: "32004 type="; content: "error mode"; classtype: configuration-error; reference: url,wiki.softwink.com/bin/view/Main/5000906; sid: 5000906; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed"; content: "32005 type="; content: "login failed"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000907; sid: 5000907; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login accepted"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000908; sid: 5000908; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk full or almost full"; content: "32006 type="; content: "disk"; nocase; content: "log "; nocase; content: "exceeds|full"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000909; sid: 5000909; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has started"; content: "32006 type="; content: "Fortigate started"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000910; sid: 5000910; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has entered error mode"; content: "32006 type="; content: "entered error mode"; classtype: configuration-error; reference: url,wiki.softwink.com/bin/view/Main/5000911; sid: 5000911; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has left error mode"; content: "32006 type="; content: "out of error mode"; classtype: configuration-error; reference: url,wiki.softwink.com/bin/view/Main/5000912; sid: 5000912; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator session timeout"; content: "32007 type="; content: "session timed out"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000913; sid: 5000913; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Abnormal Admin session drop"; content: "32007 type="; content: "terminates the sessions"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000914; sid: 5000914; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Normal administrator logout"; content: "32007 type="; content: "logs out from|is diconnected by"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000915; sid: 5000915; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator is clearing/deleting logs"; content: "32007 type="; content: "has removed|has deleted|has cleared"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000916; sid: 5000916; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cannot store config. Low flash space"; content: "32007 type="; content: "Cannot store config"; content: "flash space"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000917; sid: 5000917; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin has left current VDOM"; content: "32007 type="; content: "has left the virtual domain"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000918; sid: 5000918; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failure"; content: "32009 type="; content: "login failed from"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000919; sid: 5000919; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk logs usage have exceeded"; content: "32010 type="; content: "Disk logs|error mode|Log disk|reason=disk-log-full"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000920; sid: 5000920; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Memory usage has exceeded"; content: "32010 type="; content: "reason=memory-log-full"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000921; sid: 5000921; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Reason unknown error"; content: "32010 type="; content: "reason=unknown"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000922; sid: 5000922; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Out of error mode"; content: "32012 type="; content: "out of error mode"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000923; sid: 5000923; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator removed logs"; content: "32013 type="; content: "cleared|deleted|removed"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000924; sid: 5000924; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] License about to expired"; content: "32014 type="; content: "license will expire"; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000925; sid: 5000925; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Log disk is full"; content: "32015 type="; content: "Log disk is"; content: "full"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000926; sid: 5000926; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Corrupted MAC packet detected"; content: "32020 type="; content: "Corrupted MAC packet detected"; classtype: network-event; reference: url,wiki.softwink.com/bin/view/Main/5000927; sid: 5000927; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reboot or shutdown"; content: "32095 type="; content: "action=reboot|action=shutdown"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000928; sid: 5000928; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reload"; content: "32095 type="; content: "action=reload"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000929; sid: 5000929; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action factory_reset"; content: "32095 type="; content: "action=factory_reset"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000930; sid: 5000930; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New access profile added"; content: "32101 type="; content: "added new access profile"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000931; sid: 5000931; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Configuration change"; content: "32102 type="; content: "made a change"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000932; sid: 5000932; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile changed"; content: "32102 type="; content: "setting of access profile"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000933; sid: 5000933; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile deleted"; content: "32103 type="; content: "deleted an access profile"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000934; sid: 5000934; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New admin user added"; content: "32120 type="; content: "added an admin user"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000935; sid: 5000935; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New user group added"; content: "32120 type="; content: "added an user group"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000936; sid: 5000936; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin changed another admin's password"; content: "32150 type="; content: "changed password of admin"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000971; sid: 5000971; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Flash memory is full!"; content: "20031 type="; content: "flash memory is full"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000937; sid: 5000937; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication success"; content: "38001 type="; content: "succeeded in authentication"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000938; sid: 5000938; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38001 type="; content: "failed in authentication"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000939; sid: 5000939; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38002 type="; content: "failed to authenticate|failed in authentication"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000940; sid: 5000940; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Failed authentication to many times"; content: "38003 type="; content: "failed authentication to many times"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000941; sid: 5000941; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis fan anomaly"; content: "99503 type="; content: "Chassis fan anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000942; sid: 5000942; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis temperature anomaly"; content: "99504 type="; content: "Chassis temperature anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000943; sid: 5000943; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis voltage anomaly"; content: "99505 type="; content: "Chassis voltage anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000944; sid: 5000944; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade fan anomaly"; content: "99506 type="; content: "Blade fan anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000945; sid: 5000945; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade temperature anomaly"; content: "99507 type="; content: "Blade temperature anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000946; sid: 5000946; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade voltage anomaly"; content: "99508 type="; content: "Blade voltage anomaly"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000947; sid: 5000947; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication success"; content: "29002 type="; content: "action=auth_success"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000948; sid: 5000948; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication failed"; content: "29003 type="; content: "action=auth_failed"; classtype: unsuccessful-user; reference: url,wiki.softwink.com/bin/view/Main/5000949; sid: 5000949; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Max connection reached"; content: "29004 type="; content: "No more clients can connect"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000950; sid: 5000950; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Not enough memory"; content: "29024 type="; content: "not enough memory"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000951; sid: 5000951; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Data Leack Prevention Rule Matched"; content: "11000 type="; content: "Data Leak Prevention Rule matched"; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000952; sid: 5000952; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant messaging message"; content: "11600 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000953; sid: 5000953; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message file tranfer message"; content: "116001 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000954; sid: 5000954; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message chat message"; content: "116002 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000955; sid: 5000955; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Control instant message SIP session blocked message"; content: "116003 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000956; sid: 5000956; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message message"; content: "116010 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000957; sid: 5000957; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] An application control VoIP-SIP session blocked message"; content: "116011 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000958; sid: 5000958; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] E-mail of an infected file"; content: "60000 type="; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000959; sid: 5000959; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File blocked via e-mail"; content: "63000 type="; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000960; sid: 5000960; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File intercepted via e-mail"; content: "63002 type="; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000961; sid: 5000961; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [1]"; content: "70000 type="; classtype: misc-attack; reference: url,wiki.softwink.com/bin/view/Main/5000962; sid: 5000962; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [2]"; content: "73001 type="; classtype: misc-attack; reference: url,wiki.softwink.com/bin/view/Main/5000963; sid: 5000963; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Banned word was found"; content: "90000 type="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000964; sid: 5000964; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cookie was removed"; content: "91000 type="; classtype: web-application-activity; reference: url,wiki.softwink.com/bin/view/Main/5000965; sid: 5000965; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Java applet was removed"; content: "91005 type="; classtype: web-application-activity; reference: url,wiki.softwink.com/bin/view/Main/5000966; sid: 5000966; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ActiveX script was removed"; content: "91010 type="; classtype: web-application-activity; reference: url,wiki.softwink.com/bin/view/Main/5000967; sid: 5000967; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL was in blacklist"; content: "93002 type="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000968; sid: 5000968; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL belongs to a denied category"; content: "99501 type="; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5000969; sid: 5000969; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] calloc failed"; content: "93007 type="; content: "calloc"; content: "failed"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000970; sid: 5000970; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] FTP attempt"; content: "80000 type="; content: "user="; content: "group="; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000972; sid: 5000972; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Entered system conserve mode!"; content: "22802 type="; content: "entered system conserve mode"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000973; sid: 5000973; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Leaving system conserve mode"; content: "22803 type="; content: "exited system conserve mode"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000974; sid: 5000974; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] General CRITICAL event"; content: "devname="; content: "pri=critical"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000975; sid: 5000975; rev:1;) rules/ftpd.rules0000644000000000000000000001201211460047376012723 0ustar rootroot# Sagan ftpd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] FTP Login refused"; content: "FTP LOGIN REFUSED"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000182; sid:5000182; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] File created"; content: " created "; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000183; sid:5000183; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] File deleted"; content: " deleted "; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000184; sid:5000184; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] User uploaded a file to server"; content: "IMPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000185; sid:5000185; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] User downloaded a file to server"; content: "EXPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000186; sid:5000186; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Remote host connected to FTP server"; pcre: "/FTP LOGIN FROM|connection from|connect from/"; classtype: successful-user; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000187; sid:5000187; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Connection blocked by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000188; sid:5000188; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Reverse lookup failure"; pcre: "/can't verify hostname|gethostbyaddr/"; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000189; sid:5000189; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Multiple failed login attempts"; content: "repeated login failures"; classtype: misc-attack; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000190; sid:5000190; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] User disconnected due to time out"; content: "timed out after"; classtype: not-suspicious; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000191; sid:5000191; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Attempted access to a disabled account"; content: "Account is disabled"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000192; sid:5000192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[FTPD] Failed authentication"; content: "failed authentication from"; nocase; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000193; sid:5000193; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[FTPD] User logged into an disabled account"; content: "FTP LOGIN FROM"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000412; program: sshd; sid: 5000412; rev:1;) rules/grsec.rules0000644000000000000000000000522111460047376013075 0ustar rootroot# Sagan grsec.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rule sets are for systems with hardened kernels (PaX/GRSec). If you don't run a hardened kernel, you won't # see these alerts. For more information, see: http://www.grsecurity.net/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Time set"; content:"time set by";classtype: not-suspcious; program: grsec; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000029; sid: 5000029; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_ip_simple; program: grsec; reference: url,wiki.softwink.com/bin/view/Main/5000030; sid: 5000030; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Denied resource overstep"; content:"denied resource overstep"; classtype: exploit-attempt; program: grsec; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000042; sid: 5000042; rev:2;) rules/hordeimp.rules0000644000000000000000000000605211460047376013604 0ustar rootroot# Sagan hordeimp.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] Informational message"; content: "[info]"; classtype: unknown; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000371; sid:5000371; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] Notice message"; content: "[notice]"; classtype: unknown; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000263; sid:5000263; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] Error message"; content: "[error]"; classtype: network-event; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000372; sid:5000372; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] Emergency message"; content: "[emergency]"; classtype: network-event; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000369; sid:5000369; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] IMP successful login"; content: "Login success for"; classtype: successful-user; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000370; sid:5000370; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[HORDEIMP] Failed login"; content: "FAILED LOGIN"; classtype: unsuccessful-user; program: HORDE; reference: url,wiki.softwink.com/bin/view/Main/5000368; sid:5000368; rev:1;) rules/hostapd.rules0000644000000000000000000001033611460047501013425 0ustar rootroot# Sagan hostapd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "downgrade attack"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001041; sid: 5001041; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "TLSv1"; content: "Failed to decrypt"; classtype: unsuccessful-user ; reference: url, wiki.softwink.com/bin/view/Main/5001042; sid: 5001042; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] UPnP DoS excessive addresses [DoS]"; program: hostapd; content: "UPnP"; content: "Ignoring excessive addresses"; classtype: attempted-dos; reference: url, wiki.softwink.com/bin/view/Main/5001043; sid: 5001043; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Radius - Starting accounting session"; program: hostapd; content: "RADIUS"; content: "starting accounting session"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001044; sid: 5001044; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA pairwise key handshake complete"; program: hostapd; content: "WPA"; content: "pairwise key handshake completed"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001045; sid: 5001045; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Disassociated"; program: hostapd; content: "IEEE 802.11"; content: "disassociated"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001046; sid: 5001046; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Associated"; program: hostapd; content: "IEEE 802.11"; content: " associated"; classtype: successful-user; reference: url, wiki.softwink.com/bin/view/Main/5001047; sid: 5001047; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA - group key handshake complete [RSN]"; program: hostapd; content: "WPA"; content: "group key handshake completed"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001048; sid: 5001048; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - deauthenticated due to local deauth request"; program: hostapd; content: "IEEE 802.11"; content: "deauthenticated due to local deauth request"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001049; sid: 5001049; rev: 1;) rules/imapd.rules0000644000000000000000000000473511460047376013075 0ustar rootroot# Sagan imapd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: "[IMAPD] User login failed"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; classtype: unsuccessful-user; parse_ip_simple; program: imapd; reference: url,wiki.softwink.com/bin/view/Main/5000367; sid: 5000367; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: "[IMAPD] Successful login"; content: "Authenticated user="; classtype: successful-user; program: imapd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000262; sid: 5000262; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: "[IMAPD] User logout"; content: "Logout user="; classtype: not-suspicious; program: imapd; reference: url,wiki.softwink.com/bin/view/Main/5000276; sid:5000276; rev:1;) rules/ipop3d.rules0000644000000000000000000000404411460047376013172 0ustar rootroot# Sagan ipop3d.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; classtype: misc-attack; program: ipop3d; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.softwink.com/bin/view/Main/5000032; sid: 5000032; rev:1;) rules/juniper.rules0000644000000000000000000001374311460047376013456 0ustar rootroot# Sagan juniper.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Submitted by Brad Doctor (July 2nd, 2010). alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] AS group missing"; content: "no group for"; content:"from AS"; classtype: network-event; sid: 5000888; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Duplicate IP address"; content: "KERN_ARP_DUPLICATE_ADDR"; classtype: network-event; sid: 5000889; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP missing MD5 digest"; content: "missing MD5 digest"; classtype: network-event; sid: 5000890; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] ARP address change"; content: "KERN_ARP_ADDR_CHANGE"; classtype: network-event; sid: 5000891; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP no route to host"; content: "bgp_connect_start"; content:"No route to host"; classtype: network-event; sid: 5000892; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Login authentication error"; content: "LOGIN_PAM_AUTHENTICATION_ERROR"; content:"PAM authentication error for user"; classtype: network-event; sid: 5000893; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible authentication dictionary attack"; content: "LOGIN_INVALID_LOCAL_USER"; content:"No entry in local password"; classtype: network-event; sid: 5000894; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SONET Alarm"; content: "Asserting SONET alarm"; classtype: network-event; sid: 5000895; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible SONET ring failure"; content: "Major alarm set"; content:"SONET path remote failure indicator";classtype: network-event; sid: 5000896; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SDH Alarm"; content: "Asserting SDH alarm"; classtype: network-event; sid: 5000897; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) # Juniper Netscreens alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Fragmented traffic"; program: Netscreen; content: "Fragmented traffic"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000396; sid: 5000396; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] FIN but no ACK bit"; program: Netscreen; content: "FIN but no ACK bit"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000397; sid: 5000397; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Port scan!"; program: Netscreen; content: "Port scan"; classtype: network-scan; reference: url,wiki.softwink.com/bin/view/Main/5000398; sid: 5000398; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] ICMP fragment"; program: Netscreen; content: "ICMP fragment"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000399; sid: 5000399; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Malicious URL"; program: Netscreen; content: "Malicious URL"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000400; sid: 5000400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Large ICMP packet"; program: Netscreen; content: "Large ICMP packet"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000401; sid: 5000401; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] No tcp flag has been detected"; program: Netscreen; content: "No tcp flag has been detected"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000402; sid: 5000402; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Denied traffic"; program: Netscreen; content: "action=Deny"; classtype: network-event; reference: url,wiki.softwink.com/bin/view/Main/5000403; sid: 5000403; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Syslog enabled"; program: Netscreen; content: "Syslog has been enabled"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000404; sid:5000404; rev:1;) rules/kismet.rules0000644000000000000000000002265611460047376013301 0ustar rootroot# Sagan kismet.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # This rule set requires a modified version of Kismet. To get the patch # to modify Kismet for syslog output, please see: # # http://sagan.softwink.com/patches # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new managed network"; program: kismet_server; content: "Detected new managed"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001014; sid: 5001014; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new ad-hoc network"; program: kismet_server; content: "Detected new ad-hoc"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001015; sid: 5001015; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new probe network"; program: kismet_server; content: "Detected new probe"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001016; sid: 5001016; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new turbocell network"; program: kismet_server; content: "Detected new turbocell"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001017; sid: 5001017; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new data network"; program: kismet_server; content: "Detected new data"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001018; sid: 5001018; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Found IP address range"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001019; sid: 5001019; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet starting to gather packets [Startup]"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001020; sid: 5001020; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet shutting down"; program: kismet_server; content: "Stopped source"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001040; sid: 5001040; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older AirJack tool in use"; program: kismet_server; content: "AIRJACKSSID"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001021; sid: 5001021; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible spoof/broken AP"; program: kismet_server; content: "APSPOOF"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001022; sid: 5001022; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Out-of-sequence BSS timestamp. Possible AP spoof"; program: kismet_server; content: "BSSTIMESTAMP"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001023; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001023; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP change channels. Possibel AP spoof"; program: kismet_server; content: "CHANCHANGE"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001024; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001024; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP spoof with less-secure encryption"; program: kismet_server; content: "CRYPTODROP"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001025; sid: 5001025; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenitcate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001026; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; reference: url, http://www.wve.org/entries/show/WVE-2005-0045; reference: url, http://www.wve.org/entries/show/WVE-2005-046; reference: url, http://www.wve.org/entries/show/WVE-2005-0061; sid: 5001026; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] DHCP DISCOVER send with Client-ID not matching MAC"; program: kismet_server; content: "DHCPCLIENTID"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001027; sid: 5001027; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Misconfigured or spoofed client [ignoring DHCP]"; program: kismet_server; content: "DHCPCONFLICT"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001028; sid: 5001028; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed client [incorrectly] injecting data"; program: kismet_server; content: "DISASSOCTRAFFIC"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001029; sid: 5001029; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Invalid disconnect/deauthenticate"; program: kismet_server; pcre: "/DISCONCODEINVALID|DEAUTHCODEINVALID/"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001030; sid: 5001030; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible client spoof/MAC cloning attack"; program: kismet_server; pcre: "/DHCPNAMECHANGE|DHCPOSCHANGE/"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001031; sid: 5001031; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Over-size SSID. Possible exploit attempt"; program: kismet_server; content: "LONGSSID"; classtype: exploit-attempt; reference: url, wiki.softwink.com/bin/view/Main/5001032; sid: 5001032; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older Lucent/Orinico card scanning the network"; program: kismet_server; content: "LUCENTTEST"; classtype: network-scan; reference: url, wiki.softwink.com/bin/view/Main/5001033; sid: 5001033; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Broadcom wireless improper SSID handling"; program: kismet_server; content: "MSFBCOMSSID"; classtype: exploit-attempt; reference: url, wiki.softwink.com/bin/view/Main/5001034; reference: url, http://www.wve.org/entries/show/WVE-2006-0071; sid: 5001034; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows D-Link improper SSID handling "; program: kismet_server; content: "MSFDLINKRATE"; classtype: exploit-attempt; reference: url, wiki.softwink.com/bin/view/Main/5001035; reference: url, http://www.wve.org/entries/show/WVE-2006-0072; sid: 5001035; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows Netgear over-size beacon frame"; program: kismet_server; content: "MSFNETGEARBEACON"; classtype: exploit-attempt; reference: url, wiki.softwink.com/bin/view/Main/5001036; sid: 5001036; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older version of Netsumbler detected"; program: kismet_server; content: "NETSTUMBLER"; classtype: exploit-attempt; reference: url, wiki.softwink.com/bin/view/Main/5001037; sid: 5001037; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Zero length probe/response packet"; program: kismet_server; content: "NULLPROBERESP"; classtype: attempted-dos; reference: url, wiki.softwink.com/bin/view/Main/5001038; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001038; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Active scanning tool deteceted [probe]"; program: kismet_server; content: "PROBENOJOIN"; classtype: network-scan; reference: url, wiki.softwink.com/bin/view/Main/5001039; sid: 5001039; rev: 2;) rules/knockd.rules0000644000000000000000000000431411460047376013245 0ustar rootroot# Sagan knockd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Open Sesame"; content: "OPEN SESAME"; classtype: successful-user; program: knockd; parse_ip_simple; reference:url,wiki.softwink.com/bin/view/Main/5000383; sid:5000383; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Sequence timeout"; content: "sequence timeout"; classtype: unsuccessful-user; program: knockd; reference: url,wiki.softwink.com/bin/view/Main/5000384; sid:5000384; rev:1;) rules/milter.rules0000644000000000000000000000500511460047376013266 0ustar rootroot# Sagan milter.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[MILTER] Milter error state"; content:"Milter"; content:"to error state";classtype: program-error;program: sm-mta; reference: url,wiki.softwink.com/bin/view/Main/5000038; sid: 5000038; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[MILTER] Mimedefang - No response from slave"; content: "No response from slave"; classtype: program-error;program: mimedefang; reference: url,wiki.softwink.com/bin/view/Main/5000039; sid: 5000039; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[MILTER] SMF-SAV sendmail milter unable to verify"; pcre: "/sender check failed|sender check tempfailed/i"; classtype: program-error; program: smf-sav; reference: url,wiki.softwink.com/bin/view/Main/5000143; sid: 5000143; rev:1;) rules/mysql.rules0000644000000000000000000000626611460047376013151 0ustar rootroot# Sagan mysql.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # see: http://dev.mysql.com/doc/refman/5.1/en/error-log.html alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] Access denied for user"; content: "Access denied for user"; classtype: unsuccessful-user; program: mysqld; reference: url,wiki.softwink.com/bin/view/Main/5000149; sid: 5000149; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] Access denied for user"; pcre: "/\d+ \S+ \d+ Connect/i"; classtype: unsuccessful-user; program: mysqld; reference: url,wiki.softwink.com/bin/view/Main/5000150; sid: 5000150; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] User disconnected from database"; pcre: "/\d+ \S+ \d+ Quit/i"; classtype: not-suspicious; program: mysqld; reference: url,wiki.softwink.com/bin/view/Main/5000151; sid: 5000151; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] Database startup or restart"; pcre: "/mysqld started|mysqld restarted/i"; classtype: system-event; program: mysqld; reference:softwink,5000152; sid:5000152; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] Database error"; pcre: "/\d+ \S+ \d+ [ERROR]/"; classtype: program-error; program: mysqld; reference: url,wiki.softwink.com/bin/view/Main/5000153; sid: 5000153; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"[MYSQL] Database fatal error"; content: "Fatal error"; classtype: program-error; program: mysqld; reference: url,wiki.softwink.com/bin/view/Main/5000154; sid: 5000154; rev:1;) rules/nginx.rules0000644000000000000000000000737611460047376013132 0ustar rootroot# Sagan nginx.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx error message"; pcre: "/^\S+ \S+ [error]/i"; classtype: program-error; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000168; sid: 5000168; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx warning message"; pcre: "/^\S+ \S+ [warn]/i"; classtype: program-error; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000169; sid:5000169; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx critical message"; pcre: "/^\S+ \S+ [crit]/i"; classtype: program-error; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000170; sid:5000170; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx 404 error"; pcre: "/no such file or directory|is not found/i"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000171; sid:5000171; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Incomplete client request"; content: "Software caused connection abort"; classtype: suspicious-traffic; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000172; sid:5000172; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Initial 401 authentication request"; content: "no user/password was provided for basic authentication"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000173; sid:5000173; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Web authentication failed"; pcre: "/password mismatch, client|was not found in/i"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000174; sid:5000174; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Invalid URI, file name too long"; content: "File name too long"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.softwink.com/bin/view/Main/5000175; sid:5000175; rev:1;) rules/ntp.rules0000644000000000000000000000373711460047376012605 0ustar rootroot# Sagan ntp.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg: "[NTP] Permission denied error"; content:"permission denied"; program: ntpd_initres; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000041; sid: 5000041; rev:1;) rules/openssh.rules0000644000000000000000000002064211460047573013454 0ustar rootroot# Sagan openssh.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.softwink.com/bin/view/Main/5000015; parse_ip_simple; program: sshd; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000015; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; threshold:type limit, track by_src, count 5, seconds 300; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000016; sid: 5000016; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; classtype: unsuccessful-admin;program: sshd; threshold:type limit, track by_src, count 5, seconds 300; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000017; sid: 5000017; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000018; sid: 5000018; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000020; sid: 5000020; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000021; sid:5000021; rev:1;) drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Invalid or illegal user"; pcre: "/invalid user|illegal user/i"; classtype: not-suspicious; program: sshd; parse_ip_simple; parse_port_simple; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.softwink.com/bin/view/Main/5000022; sid: 5000022; rev:4;) # Champ Clark (Softwink, Inc) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/ alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] Out-of-Band challenge failure"; content: "Failed auth"; content: "out-of-band challenge"; content: "pam_obc"; parse_ip_simple; classtype: unsuccessful-user;program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000023; sid: 5000023; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] Bad protocol version - possible attack"; content: "Bad protocol version identification"; parse_ip_simple; classtype: non-standard-protocol; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000068; sid: 5000068; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg: "[OPENSSH] Timeout while logging in"; content:"Timeout before authentication" ;classtype: unsuccessful-user; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000069; sid: 5000069; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] No identification string - possible scan"; content:"Did not receive identification string"; classtype: network-scan; program: sshd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000070; sid: 5000070; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] OpenSSH challenge-response exploit"; content: "buffer_get_string: bad string"; classtype: exploit-attempt; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000071; sid: 5000071; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] Message without user-IP and context"; content: "Could not get shadow information for NOUSER"; classtype: misc-attack; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000072; sid: 5000072; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Corrupted traffic"; content: "Corrupted check bytes on"; classtype: network-event; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000073; sid: 5000073; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] CRC32 compensation attack"; content: "crc32 compensation attack"; nocase; classtype: shellcode-detect; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000074; reference: url, http://www.securityfocus.com/bid/2347/info/; sid: 5000074; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; classtype: successful-user; program: sshd; parse_port_simple; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000075; sid: 5000075; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] configuration error [moduli]"; content: "Bad prime description in line"; classtype: program-error; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000076; sid: 5000076; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Attempt to login using a denied user"; content: "not allowed because"; classtype: unsuccessful-user; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000077; sid:5000077; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Accepted publickey"; content: "Accepted publickey" ; classtype: successful-user; program: sshd; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000406; sid:5000406; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Session closed"; content: "session closed for" ; classtype: not-suspicious; program: sshd; reference: url,wiki.softwink.com/bin/view/Main/5000407; sid:5000407; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; classtype: not-suspicious; program: sshd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000408; sid:5000408; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_ip_simple; parse_port_simple; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:2;) rules/ossec.rules0000644000000000000000000001313511460047376013111 0ustar rootroot# Sagan ossec.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent started"; content: "Agent started"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000285; sid: 5000285; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ossec started"; content: "Ossec started"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000287; sid: 5000287; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent disconnect"; content: "Agent disconnected"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000288; sid: 5000288; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignored common NTFS ADS entries"; pcre: "/Zone.Identifier|Exchsrvrr/Mailroot|vsi|encryptable/i"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000289; sid: 5000289; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Audit"; content: "Windows Audit"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000290; sid: 5000290; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Malware"; content: "Windows Malware"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000291; sid: 5000291; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows application monitor event"; content: "Application Found"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000292; sid: 5000292; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring rootcheck/syscheck scan messages"; pcre: "/^Starting rootcheck scan|^Ending rootcheck scan|^Starting syscheck scan|^Ending syscheck scan/i"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000293; sid: 5000293; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] System Audit"; content: "System Audit"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000294; sid: 5000294; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Adware/Spyware application found"; pcre: "/Adware|Spyware/i"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000295; sid: 5000295; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Partition usage reached 100% [disk space monitor]"; content: "output"; content: "dh -h"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000296; sid: 5000296; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring external medias"; pcre: "/\/cdrom|\/media|usb|\/mount|floppy|dvd/"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000297; sid: 5000297; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Integrity checksum for agentless device changed"; content: "agentless"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000298; sid: 5000298; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Log file rotated"; content: "File rotated"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000299; sid: 5000299; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] File size reduced"; content: "File size reduced"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000300; sid: 5000300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Microsoft event log cleared"; content: "Event log cleared"; classtype: system-event; program: ossec; reference: url,wiki.softwink.com/bin/view/Main/5000301; sid: 5000301; rev:1;) rules/php.rules0000644000000000000000000000625611460047376012572 0ustar rootroot# Sagan php.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Fatal error"; content: "PHP Fatal error"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000236; sid: 5000236; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Warning message"; content: "PHP Warning"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000237; sid: 5000237; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Parse error"; content: "PHP Parse error"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000238; sid: 5000238; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Possible web attack"; content: "expects parameter 1 to be string, array given in"; classtype: exploit-attempt; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000240; sid: 5000240; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Internal error [missing file]"; pcre: "/failed opening|failed to open stream/i"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000241; sid: 5000241; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "[PHP] Internal error [call to undefined function]"; pcre: "/failed opening required|call to undefined function/i"; classtype: program-error; program: apache; reference: url,wiki.softwink.com/bin/view/Main/5000242; sid: 5000242; rev:1;) rules/postfix.rules0000644000000000000000000000476011460047376013475 0ustar rootroot# Sagan postfix.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[POSTFIX] IP Address black-listed by anti-spam [blocked]"; content: "blocked using"; classtype: spam; program: postfix; reference: url,wiki.softwink.com/bin/view/Main/5000225; sid: 5000225; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[POSTFIX] Processing error"; pcre: "/defer service failure|resource temporarily unavailable/i"; classtype: program-error; program: postfix; reference: url,wiki.softwink.com/bin/view/Main/5000226; sid: 5000226; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[POSTFIX] SASL authentication failure"; content: "authentication failed"; classtype: unsuccessful-user; program: postfix; reference: url,wiki.softwink.com/bin/view/Main/5000227; sid: 5000227; rev:1;) rules/postgresql.rules0000644000000000000000000000723211460047376014201 0ustar rootroot# Sagan postgresql.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Log message"; content: "LOG"; classtype: program-error; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000229; sid: 5000229; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Informational message"; pcre: "/NOTICE|INFO/"; classtype: program-error; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000373; sid: 5000373; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Error message"; content: "ERROR"; classtype: program-error; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000230; sid: 5000230; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Fatal error message"; content: "FATAL"; classtype: program-error; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000231; sid: 5000231; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Debug message"; content: "DEBUG"; classtype: program-error; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000232; sid: 5000232; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database authentication success"; content: "connection authorized"; classtype: successful-user; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000233; sid: 5000233; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database authentication failure"; content: "authentication failed"; classtype: unsuccessful-user; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000234; sid: 5000234; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database shutdown message"; pcre: "/terminating connection due|aborting any active transactions|shutting down/i"; classtype: not-suspicious; program: postgres; reference: url,wiki.softwink.com/bin/view/Main/5000235; sid: 5000235; rev:1;) rules/pptp.rules0000644000000000000000000000436111460047376012761 0ustar rootroot# Sagan pptp.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"[PPTP] Failed message [communications error]"; pcre: "/GRE: \S+ from \S+ failed: status = -1/"; classtype: network-event; program: pptpd; reference: url,wiki.softwink.com/bin/view/Main/5000134; sid: 5000134; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"[PPTP] Connection established"; content: "control connection started"; classtype: successful-user; program: pptpd; reference: url,wiki.softwink.com/bin/view/Main/5000135; sid:5000135; rev:1;) rules/proftpd.rules0000644000000000000000000001534611460047376013461 0ustar rootroot# Sagan proftpd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Session opened"; content: "FTP session opened"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000078; sid: 5000078; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Session closed"; content: "FTP session closed"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000079; sid: 5000079; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Attempt to login as a non-existent user"; content: "no such user"; classtype: unsuccessful-user; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000080; sid: 5000080; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Login failed accessing the FTP server"; pcre: "/Incorrect password|Login failed/i"; classtype: unsuccessful-user; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000081; sid: 5000081; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Authentication success"; content: "Login successful"; classtype: successful-user; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000082; sid: 5000082; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Connection refused by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000083; sid: 5000083; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Small PassivePorts range in config file"; content: "unable to find open port in PassivePorts range"; classtype: program-error; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000084; sid: 5000084; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic"; content: "Refused PORT"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000085; sid: 5000085; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Maximum login attempts reached [DoS?]"; content: "Maximum login attempts"; classtype: successful-dos; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000086; sid: 5000086; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Host name or host address mismatch"; pcre: "/name mismatch|address mismatch/i"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000087; sid: 5000087; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Reverse lookup failure; content: "can't verify hostname"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000088; sid: 5000088; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Remote host connected to FTP server"; content: "connect from"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000089; sid: 5000089; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Remote host disconnected due to inactivity"; content: "FTP no transfer timeout, disconnected"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000090; sid: 5000090; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Remote host disconnected due to login time out" ;content: "FTP login timed out"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000091; sid: 5000091; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Remote host disconnected due to time out" ;content: "FTP session idle timeout"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000374; sid: 5000374; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Data transfer stall timeout" ;content: "Data transfer stall timeout"; classtype: not-suspicious; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000092; sid: 5000092; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] terminated [crash]" ; content: "ProFTPD terminating"; content: "signal 11"; classtype: program-error; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000093; sid: 5000093; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PROFTPD] Unable to bind to address" ; content: "listen"; content: "failed in"; classtype: program-error; program: proftpd; reference: url,wiki.softwink.com/bin/view/Main/5000094; sid:5000094; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[PROFTPD] User logged into an disabled account"; content: "Login successful"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000413; program: sshd; sid: 5000413; rev:1;) rules/pure-ftpd.rules0000644000000000000000000000736011460047376013706 0ustar rootroot# Sagan pure-ftpd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] New FTP connection"; content: "[INFO] New connection from"; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000216; sid: 5000216; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; classtype: unsuccessful-user; program: pure-ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000217; sid: 5000217; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] FTP user logout or timeout"; pcre: "/[INFO] Logout|[INFO] Timeout/"; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000219; sid: 5000219; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] FTP notice message"; content: "[NOTICE]"; classtype: program-error; program: pure-ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000220; sid: 5000220; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] Attempting to access invalid directory"; content: "[INFO] Can't change directory to"; classtype: suspicious-filename-detect; program: pure-ftpd; reference: url,wiki.softwink.com/bin/view/Main/5000221; sid: 5000221; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[PUREFTPD] FTP Authentication successful"; pcre: "/[INFO] \S+ is now logged in/"; classtype: successful-user; program: pure-ftpd; reference : url,wiki.softwink.com/bin/view/Main/5000222; sid: 5000222; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[PUREFTPD] User logged into an disabled account"; pcre: "/[INFO] \S+ is now logged in/";; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000414; program: sshd; sid: 5000414; rev:1;) rules/racoon.rules0000644000000000000000000000677211460047376013267 0ustar rootroot# Sagan racoon.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Informational message"; content: "INFO"; classtype: program-error; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000269; sid: 5000269; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Error message"; content: "ERROR"; classtype: program-error; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000270; sid: 5000270; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Warning message"; content: "WARNING"; classtype: program-error; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000271; sid: 5000271; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - ISAKMP-SA - VPN established"; content: "ISAKMP-SA established"; classtype: successful-user ; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000272; sid: 5000272; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored error]"; content: "such policy does not already exist"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000273; sid: 5000273; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored warning]"; content: "ignore INITIAL-CONTACT notification"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000274; sid: 5000274; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Invalid configuration settings [ignored error]"; content: "ERROR"; pcre: "/invalid attribute|rejected/i"; classtype: program-error; program: racoon; reference: url,wiki.softwink.com/bin/view/Main/5000275; sid: 5000275; rev:1;) rules/reference.config0000644000000000000000000000445111460047376014047 0ustar rootroot# Sagan apache.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following defines URLs for the references found in the rules # config reference: system URL. Most of these are from Sourcefire's # 'Snort'. config reference: bugtraq,http://www.securityfocus.com/bid/ config reference: cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS,http://www.whitehats.com/info/IDS config reference: McAfee,http://vil.nai.com/vil/content/v_ config reference: nessus,http://cgi.nessus.org/plugins/dump.php3?id= config reference: url,http:// #config reference: softwink,https://wiki.softwink.com/bin/view/Main/ rules/roundcube.rules0000644000000000000000000000436011460047376013763 0ustar rootroot# Sagan roundcube.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication failed"; content: "failed"; content: "LOGIN"; classtype: unsuccessful-user; program: roundcube; reference: url,wiki.softwink.com/bin/view/Main/5000277; sid: 5000277; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication success"; content: "Successful login"; classtype: successful-user; program: roundcube; reference: url,wiki.softwink.com/bin/view/Main/5000278; sid: 5000278; rev:1;) rules/rsync.rules0000644000000000000000000000642211460047376013134 0ustar rootroot# Sagan rsync.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] mkdir failure. Permission denied"; program: rsync; content: "mkdir"; content: "Permission denied"; classtype: program-error; reference: url, wiki.softwink.com/bin/view/Main/5001050; sid: 5001050; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] stat failure. Permission denied"; program: rsync; content: "stat"; content: "Permission denied"; classtype: program-error; reference: url, wiki.softwink.com/bin/view/Main/5001051; sid: 5001051; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Inbound rsync connection"; program: rsync; content: "rsync to"; content: "from"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001052; sid: 5001052; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Connection closed stats"; program: rsync; content: "sent"; content: "received"; content: "total size"; classtype: not-suspicious; reference: url, wiki.softwink.com/bin/view/Main/5001053; sid: 5001053; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Authentication failure"; program: rsync; content: "auth failed on module"; classtype: attempted-user; reference: url, wiki.softwink.com/bin/view/Main/5001054; sid: 5001054; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Some files could not be transferred"; program: rsync; content: "rsync error"; content: "code 23"; classtype: program-error; reference: url, wiki.softwink.com/bin/view/Main/5001055; sid: 5001055; rev: 1;) rules/samba.rules0000644000000000000000000000600611460047376013057 0ustar rootroot# Sagan samba.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Startup network problem"; content: "getpeername failed. Error was Transport endpoint"; classtype: program-error; program: smbd; reference: url,wiki.softwink.com/bin/view/Main/5000145; sid: 5000145; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection denied"; pcre: "/denied connection from|connection denied from/i"; nocase; classtype: unsuccessful-user; program: smbd; reference: url,wiki.softwink.com/bin/view/Main/5000146; sid: 5000146; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection reset by peer"; content: "Connection reset by peer"; classtype: not-suspicious; program: smbd; reference: url,wiki.softwink.com/bin/view/Main/5000147; sid: 5000147; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] User action denied by configuration"; content: "Permission denied"; classtype: unsuccessful-user; program: smbd; reference: url,wiki.softwink.com/bin/view/Main/5000375; sid: 5000375; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Unable to connect to CUPS server"; content: "Unable to connect to CUPS server"; classtype: program-error; program: smbd; reference: url,wiki.softwink.com/bin/view/Main/5000148; sid: 5000148; rev:1;) rules/sendmail.rules0000644000000000000000000001517711460047634013576 0ustar rootroot# Sagan sendmail.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] VRFY or EXPN root attempt"; content: " root"; nocase; pcre: "/vrfy|expn/i"; classtype: attempted-recon; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000034; parse_ip_simple; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000034; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] EXPN command - rejected"; content:"expn "; nocase; content:"[rejected]"; classtype: attempted-recon; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000035; parse_ip_simple; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000035; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] VRFY command - rejected"; content:"vrfy "; nocase; content:"[rejected]"; classtype: attempted-recon; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000036; parse_ip_simple; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000036; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] EXPN command - [not rejected]"; content:"expn "; nocase; parse_ip_simple; classtype: attempted-recon; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000035; parse_ip_simple; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000223; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] VRFY command - [not rejected]"; content:"vrfy "; nocase; classtype: attempted-recon; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000036; parse_ip_simple; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000224; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Relaying denied"; content: "Relaying denied|reject=550 5.7.1"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000037; sid: 5000037; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Relaying denied [reject=550 5.7.1]"; content: "reject=550 5.7.1"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000144; sid: 5000144; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Domain of sender down not resolve"; content:"reject=451 4.1.8"; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000136; sid: 5000136; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Rejected by access list"; pcre: "/reject=550 5.0.0|reject=553 5.3.0/"; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000137; sid: 5000137; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sender address does not have domain"; content:"reject=553 5.5.4 "; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000138; sid: 5000138; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Rejecting due to pre-greet"; content: "rejecting commands from"; classtype: spam; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000139; sid: 5000139; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Save mail panic"; content: "savemail panic"; classtype: program-error; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000140; sid: 5000140; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Sendmail Spamassassin X-Spam-Score"; content: "X-Spam-Score"; classtype: spam; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000141; sid: 5000141; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Possible SMTP RCPT flood, throttling"; content: "Possible SMTP RCPT flood, throttling"; classtype: spam; program: sm-mta|sendmail; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000142; sid: 5000142; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"[SENDMAIL] Username with pipe symbol"; content: "|"; content: "to=<"; classtype: exploit-attempt; program: sm-mta|sendmail; reference: url,wiki.softwink.com/bin/view/Main/5000357; sid: 5000357; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; program: "sm-mta|sendmail"; content: "+"; content: "|"; content: "sh "; classtype: system-event; reference: url, wiki.softwink.com/bin/view/Main/5000881; reference: url,http://www.securityfocus.com/bid/38578; sid: 5000881; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] Possible open proxy"; program: "sm-mta|sendmail"; content: "probable open proxy:"; classtype: suspicious-traffic; reference: url, wiki.softwink.com/bin/view/Main/5001013; sid: 5001013; rev: 1;) rules/snort.rules0000644000000000000000000002624111460047652013141 0ustar rootroot# Sagan snort.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Snort syslog message"; program: snort; content: "Classification"; content: "Priority"; classtype: suspicious-command; reference: url,wiki.softwink.com/bin/view/Main/5000386; sid: 5000386; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Not Suspicious Traffic"; program: snort; content: "Classification: Not Suspicious Traffic"; classtype: not-suspicious; reference: url,wiki.softwink.com/bin/view/Main/5000976; sid: 5000976; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unknown Traffic"; program: snort; content: "Classification: Unknown Traffic"; classtype: unknown; reference: url,wiki.softwink.com/bin/view/Main/5000977; sid: 5000977; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Bad Traffic"; program: snort; content: "Classification: Bad Traffic"; classtype: bad-unknown; reference: url,wiki.softwink.com/bin/view/Main/5000978; sid: 5000978; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Information Leak"; program: snort; content: "Classification: Attempted Information Leak"; classtype: attempted-recon; reference: url,wiki.softwink.com/bin/view/Main/5000979; sid: 5000979; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Information Leak"; program: snort; content: "Classification: Information Leak"; classtype: successful-recon-limited; reference: url,wiki.softwink.com/bin/view/Main/5000980; sid: 5000980; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Large Scale Information Leak"; program: snort; content: "Classification: Large Scale Information Leak"; classtype: successful-recon-largescale; reference: url,wiki.softwink.com/bin/view/Main/5000981; sid: 5000981; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Denial of Service"; program: snort; content: "Classification: Attempted Denial of Service"; classtype: attempted-dos; reference: url,wiki.softwink.com/bin/view/Main/5000982; sid: 5000982; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Denial of Service"; program: snort; content: "Classification: Denial of Service"; classtype: successful-dos; reference: url,wiki.softwink.com/bin/view/Main/5000983; sid: 5000983; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted User Privilege Gain"; program: snort; content: "Classification: Attempted User Privilege Gain"; classtype: attempted-user; reference: url,wiki.softwink.com/bin/view/Main/5000984; sid: 5000984; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unsuccessful User Privilege Gain"; program: snort; content: "Classification: Unsuccessful User Privilege Gain"; classtype: unsuccessful-user; reference: url,wiki.softwink.com/bin/view/Main/5000985; sid: 5000985; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful User Privilege Gain"; program: snort; content: "Classification: Successful User Privilege Gain"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000986; sid: 5000986; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Administrator Privilege Gain"; program: snort; content: "Classification: Attempted Administrator Privilege Gain"; classtype: attempted-admin; reference: url,wiki.softwink.com/bin/view/Main/5000987; sid: 5000987; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful Administrator Privilege Gain"; program: snort; content: "Classification: Successful Administrator Privilege Gain"; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000988; sid: 5000988; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Decode of an RPC Query"; program: snort; content: "Classification: Decode of an RPC Query"; classtype: rpc-portmap-decode; reference: url,wiki.softwink.com/bin/view/Main/5000989; sid: 5000989; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Executable code was detected"; program: snort; content: "Classification: Executable code was detected"; classtype: shellcode-detect; reference: url,wiki.softwink.com/bin/view/Main/5000990; sid: 5000990; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious string was detected"; program: snort; content: "Classification: A suspicious string was detected"; classtype: string-detect; reference: url,wiki.softwink.com/bin/view/Main/5000991; sid: 5000991; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious filename was detected"; program: snort; content: "Classification: A suspicious filename was detected"; classtype: suspicious-filename-detect; reference: url,wiki.softwink.com/bin/view/Main/5000992; sid: 5000992; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] An attempted login using a suspicious username was detected"; program: snort; content: "Classification: An attempted login using a suspicious username was detected"; classtype: suspicious-login; reference: url,wiki.softwink.com/bin/view/Main/5000993; sid: 5000993; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A system call was detected"; program: snort; content: "Classification: A system call was detected"; classtype: system-call-detect; reference: url,wiki.softwink.com/bin/view/Main/5000995; sid: 5000995; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A TCP connection was detected"; program: snort; content: "Classification: A TCP connection was detected"; classtype: tcp-connection; reference: url,wiki.softwink.com/bin/view/Main/5000996; sid: 5000996; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A Network Trojan was detected"; program: snort; content: "Classification: A Network Trojan was detected"; classtype: trojan-activity; reference: url,wiki.softwink.com/bin/view/Main/5000997; sid: 5000997; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A client was using an unusual port"; program: snort; content: "Classification: A client was using an unusual port"; classtype: unusual-client-port-connection; reference: url,wiki.softwink.com/bin/view/Main/5000998; sid: 5000998; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Network Scan"; program: snort; content: "Classification: Detection of a Network Scan"; classtype: network-scan; reference: url,wiki.softwink.com/bin/view/Main/5000999; sid: 5000999; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Denial of Service Attack"; program: snort; content: "Classification: Detection of a Denial of Service Attack"; classtype: denial-of-service; reference: url,wiki.softwink.com/bin/view/Main/5001000; sid: 5001000; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a non-standard protocol or event"; program: snort; content: "Classification: Detection of a non-standard protocol or event"; classtype: non-standard-protocol; reference: url,wiki.softwink.com/bin/view/Main/5001001; sid: 5001001; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic Protocol Command Decode"; program: snort; content: "Classification: Generic Protocol Command Decode"; classtype: protocol-command-decode; reference: url,wiki.softwink.com/bin/view/Main/5001002; sid: 5001002; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] access to a potentially vulnerable web application"; program: snort; content: "Classification: access to a potentially vulnerable web application"; classtype: web-application-activity; reference: url,wiki.softwink.com/bin/view/Main/5001003; sid: 5001003; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Web Application Attack"; program: snort; content: "Classification: Web Application Attack"; classtype: web-application-activity; reference: url,wiki.softwink.com/bin/view/Main/5001004; sid: 5001004; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc activity"; program: snort; content: "Classification: Misc activity"; classtype: misc-activity; reference: url,wiki.softwink.com/bin/view/Main/5001005; sid: 5001005; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc Attack"; program: snort; content: "Classification: Misc Attack"; classtype: misc-attack; reference: url,wiki.softwink.com/bin/view/Main/5001006; sid: 5001006; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic ICMP event"; program: snort; content: "Classification: Generic ICMP event"; classtype: icmp-event; reference: url,wiki.softwink.com/bin/view/Main/5001007; sid: 5001007; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] SCORE! Get the lotion! [Porn]"; program: snort; content: "Classification: SCORE! Get the lotion!"; classtype: kickass-porn; reference: url,wiki.softwink.com/bin/view/Main/5001008; sid: 5001008; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Potential Corporate Privacy Violation"; program: snort; content: "Classification: Potential Corporate Privacy Violation"; classtype: policy-violation; reference: url,wiki.softwink.com/bin/view/Main/5001009; sid: 5001009; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempt to login by a default username and password"; program: snort; content: "Classification: Attempt to login by a default username and password"; classtype: default-login-attempt; reference: url,wiki.softwink.com/bin/view/Main/5001010; sid: 5001010; rev:1;) rules/solaris.rules0000644000000000000000000000440211460047376013446 0ustar rootroot# Sagan solaris.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] kcfd - Unable to open certificate file"; program: kcfd; content: "unable to open certificate file"; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000393; sid: 5000393; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] rmclomv - Power Supply FAULT!"; program: rmclomv; content: "PSU"; content: "has FAULTED"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000405; sid: 5000405; rev:1;) rules/squid.rules0000644000000000000000000001007611460047376013123 0ustar rootroot# Sagan squid.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for these rules to function with Squid, you'll need: # "access_log syslog" in your squid.conf . alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED"; content: "TCP_DENIED"; classtype: suspicious-traffic; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000043; sid: 5000043; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED unsupported-request-method"; content: "TCP_DENIED"; content: "unsupported-request-method"; classtype: suspicious-traffic; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000044; sid: 5000044; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED invalid-request"; content: "TCP_DENIED"; content: "invalid-request"; classtype: suspicious-traffic; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000045; sid: 5000045; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] @CGIDIRScgiwrap attempt"; content: "@CGIDIRScgiwrap"; classtype: web-application-activity; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000046; sid: 5000046; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] Directory traversal attempt"; content: "../.."; classtype: web-application-attack; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000047; sid: 5000047; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg: "[SQUID] XSS attempt"; content: ""; classtype: suspicious-traffic; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000048; sid: 5000048; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] 'passwd' access attempt"; content: "passwd"; classtype: web-application-attack; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000049; sid: 5000049; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] Directory traversal attempt"; content: "///"; classtype: web-application-attack; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000050; sid: 5000050; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] MSG Messenger access"; content: "x-msn-messenger"; classtype: policy-violation; program: squid; reference: url,wiki.softwink.com/bin/view/Main/5000387; sid: 5000387; rev:1;) rules/su.rules0000644000000000000000000000670311460047376012427 0ustar rootroot# Sagan su.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # This is for both "su" and "sudo" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] SUDO user NOT in sudoers"; content:"user NOT in sudoers"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.softwink.com/bin/view/Main/5000024; sid: 5000024; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; program: sudo; reference: url,wiki.softwink.com/bin/view/Main/5000025; sid: 5000025; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.softwink.com/bin/view/Main/5000027; sid: 5000027; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.softwink.com/bin/view/Main/5000028; sid: 5000028; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.softwink.com/bin/view/Main/5000132; sid: 5000132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; classtype: successful-admin;program: sudo; reference: url,wiki.softwink.com/bin/view/Main/5000133; sid: 5000133; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.softwink.com/bin/view/Main/5000409; sid: 5000409; rev:1;) rules/syslog.rules0000644000000000000000000002112511460047376013313 0ustar rootroot# Sagan syslog.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Rules outside the scope of application specific rules. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Redirect from"; classtype: bad-unknown; program: Redirect;facility: kern;reference: url,wiki.softwink.com/bin/view/Main/5000056; sid: 5000056; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Advised path"; classtype: bad-unknown; program: Advised; facility: kern; reference: url,wiki.softwink.com/bin/view/Main/5000057; sid: 5000057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] init respawning to fast"; content: "respawning too fast"; classtype: program-error; program: init; reference: url,wiki.softwink.com/bin/view/Main/5000058; sid: 5000058; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Martian source packet"; content: "martian source"; classtype: bad-unknown; program: martian; facility: kern; reference: url,wiki.softwink.com/bin/view/Main/5000059; sid: 5000059; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000114; sid: 5000114; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] /etc/securetty missing, root access unrestricted"; content: "couldn't open /etc/securetty"; nocase; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000115; sid: 5000115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000116; sid:5000116; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; reference: url,wiki.softwink.com/bin/view/Main/5000117; sid: 5000117; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; reference: url,wiki.softwink.com/bin/view/Main/5000118; sid: 5000118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; classtype: unsuccessful-user; reference: url,wiki.softwink.com/bin/view/Main/5000119; sid: 5000119; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Illegal root login"; pcre: "/ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED/"; classtype: unsuccessful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000120; sid: 5000120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Connection blocked by TCP Wrappers"; pcre: "/refused connect from|libwrap refused connection|connection from \S+ denied/i"; classtype: tcp-connection; reference: url,wiki.softwink.com/bin/view/Main/5000121; sid: 5000121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Physical root login"; content: "ROOT LOGIN on"; nocase; classtype: successful-admin; reference: url,wiki.softwink.com/bin/view/Main/5000122; sid: 5000122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Oversized packet - ping of death?"; content: "Oversized packet received from"; classtype: attempted-dos; reference: url,wiki.softwink.com/bin/view/Main/5000123; sid: 5000123; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Interface entered promiscuous mode"; pcre: "/Promiscuous mode enabled|device \S+ entered promiscuous mode/i"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000124; sid: 5000124; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of memory!"; content: "out of memory"; nocase; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000125; sid: 5000125; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel log daemon terminating"; content: "kernel log daemon terminating"; nocase; classtype: program-error; reference: url,wiki.softwink.com/bin/view/Main/5000126; sid: 5000126; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is up"; content: "ADSL line is up"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000127; sid: 5000127; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is down"; content: "ADSL line is down"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5000128; sid: 5000128; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New group added to the system"; content: "new group"; nocase; program: useradd|adduser; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000130; sid: 5000130; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New user added to the system"; pcre: "/new user|new account added/i"; program: useradd|adduser; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000131; sid: 5000131; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] User or group was deleted from the system"; pcre: "/delete user|account deleted|remove group/i"; nocase; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000376; sid: 5000376; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Information for a user was changed"; content: "changed user"; nocase; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000377; sid: 5000377; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] automount - Couldn't stat filesystem"; program: automount; content: "could not stat fs of"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000395; sid: 5000395; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Nagios npre - Host not allowed"; program: npre; content: "is not allowed to talk to us"; classtype: suspicious-traffic; reference: url,wiki.softwink.com/bin/view/Main/5000410; sid: 5000410; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng I/O error"; program: syslog-ng; content: "I/O error occurred while writing"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5001011; sid: 5001011; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng suspend write"; program: syslog-ng; content: "Suspending write operation"; classtype: hardware-event; reference: url,wiki.softwink.com/bin/view/Main/5001012; sid: 5001012; rev:1;) rules/tcp.rules0000644000000000000000000000373411460047376012567 0ustar rootroot# Sagan tcp.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Treason uncloaked"; content: "Treason uncloaked"; classtype: bad-unknown; program: TCP; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000031; sid: 5000031; rev:2;) rules/telnet.rules0000644000000000000000000000575211460047376013276 0ustar rootroot# Sagan telnet.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[TELNET] Connection refused by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: telnetd; reference: url,wiki.softwink.com/bin/view/Main/5000243; sid: 5000243; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[TELNET] Remote host established a telnet connection"; content: "connection from"; classtype: not-suspicious; program: telnetd; reference: url,wiki.softwink.com/bin/view/Main/5000244; sid: 5000244; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[TELNET] Remote host invalid connection"; content: "ttloop"; pcre: "/peer died|read/i"; classtype: network-event; program: telnetd; reference: url,wiki.softwink.com/bin/view/Main/5000245; sid: 5000245; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[TELNET] Reverse lookup error"; content: "can't verify hostname"; classtype: network-event; program: telnetd; reference: url,wiki.softwink.com/bin/view/Main/5000246; sid: 5000246; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[TELNET] Attempt to login with an option"; content: "Attempt to login with an option"; classtype: exploit-attempt; program: telnetd; reference: url,wiki.softwink.com/bin/view/Main/5000392; sid: 5000392; rev:1;) rules/tripwire.rules0000644000000000000000000000400611460047376013637 0ustar rootroot# Sagan tripwire.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[TRIPWIRE] Integrity Check failed"; content: "Integrity Check failed"; content: "File could not"; classtype: system-event; program: tripwire; reference: url,wiki.softwink.com/bin/view/Main/5000129; sid: 5000129; rev:1;) rules/vmpop3d.rules0000644000000000000000000000375611460047376013375 0ustar rootroot# Sagan vmpop3d.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[VMPOP3D] Authentication failure for POP3"; content: "failed auth"; classtype: unsuccessful-user; program: vm-pop3d; reference: url,wiki.softwink.com/bin/view/Main/5000215; sid: 5000215; rev:1; ) rules/vmware.rules0000644000000000000000000000631311460047376013276 0ustar rootroot# Sagan vmware.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.softwink.com/bin/view/Main/5000204; sid: 5000204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.softwink.com/bin/view/Main/5000206; sid: 5000206; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to OFF"; content: "VM_STATE_OFF"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000208; sid: 5000208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being turned ON"; content: "VM_STATE_POWERING_ON"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000380; sid: 5000380; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to ON"; content: "VM_STATE_ON"; classtype: system-event; reference: url,wiki.softwink.com/bin/view/Main/5000209; sid: 5000209; rev:1; ) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being reconfigured"; content: "VM_STATE_RECONFIGURING"; classtype: configuration-change; reference: url,wiki.softwink.com/bin/view/Main/5000210; sid: 5000210; rev:1; ) rules/vpopmail.rules0000644000000000000000000000537311460047376013631 0ustar rootroot# Sagan vpopmail.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[VPOPMAIL] Authentication failure for POP3 service"; content: "password fail"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.softwink.com/bin/view/Main/5000211; sid: 5000211; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[VPOPMAIL] User not found/Invalid login for POP3 service"; content: "vpopmail user not found"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.softwink.com/bin/view/Main/5000212; sid: 5000212; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[VPOPMAIL] Successful POP3 login"; content: "login success"; classtype: successful-user; program: vpopmail; reference: url,wiki.softwink.com/bin/view/Main/5000213; sid: 5000213; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"[VPOPMAIL] Null password given for POP3 service"; content: "null password given"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.softwink.com/bin/view/Main/5000214; sid: 5000214; rev:1; ) rules/vsftpd.rules0000644000000000000000000000611111460047376013277 0ustar rootroot# Sagan vsftpd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[VSFTPD] Session opened"; content: "CONNECT"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.softwink.com/bin/view/Main/5000194; sid: 5000194; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[VSFTPD] Authentication successful"; content: "OK LOGIN"; classtype: successful-user; program: vsftpd; reference: url,wiki.softwink.com/bin/view/Main/5000195; sid: 5000195; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[VSFTPD] Login failed"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; reference: url,wiki.softwink.com/bin/view/Main/5000196; sid: 5000196; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"[VSFTPD] File uploaded"; content: "OK UPLOAD"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.softwink.com/bin/view/Main/5000197; sid: 5000197; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "[FTPD] User logged into an disabled account"; content: "OK LOGIN"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.softwink.com/bin/view/Main/5000415; program: sshd; sid: 5000415; rev:1;) rules/windows.rules0000644000000000000000000004230411460047376013467 0ustar rootroot# Sagan windows.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows based rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Unknown user name or bad password"; content: "Logon Failure"; content: "Unknown user name or bad password"; classtype: unsuccessful-user; program: Security; threshold:type limit, track by_src, count 5, seconds 120; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000302; sid: 5000302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Account logon time restriction violation"; content: "Logon Failure"; content: "account logon time restriction violation"; classtype: unsuccessful-user; program: Userenv; reference: url,wiki.softwink.com/bin/view/Main/5000303; sid: 5000303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Account locked out"; content: "Account locked out User Name"; classtype: unsuccessful-user; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000358; sid:5000358; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Successful user logoff"; content: "User Logoff"; classtype: not-suspicious; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000304; sid:5000304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Successful user logon"; content: "Successful Logon"; classtype: successful-user; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000305; sid: 5000305; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Detection of net listening application"; content: "Windows Firewall has detected an application listening for incoming traffic"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000306; sid: 5000306; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Privileged Service Called"; content: "Privileged Service Called"; classtype: successful-admin; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000307; sid: 5000307; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Apple Bonjour service detect [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Bonjour; reference: url,wiki.softwink.com/bin/view/Main/5000308; sid: 5000308; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application error"; content: "Application Error"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000309; sid: 5000309; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application hang"; content: "Application Hang"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000310; sid: 5000310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application popup"; content: "Application Popup"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000311; sid: 5000311; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; reference: url,wiki.softwink.com/bin/view/Main/5000316; sid: 5000316; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Job completed with exceptions"; content: "Job Completed with Exceptions"; classtype: program-error; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000312; sid: 5000312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Job cancellation"; content: "Job Cancellation"; classtype: program-error; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000313; sid: 5000313; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Alert - insert media"; content: "Media Insert"; classtype: hardware-event; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000314; sid: 5000314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Service started"; content: "Service Start"; classtype: system-event; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000315; sid: 5000315; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Citrix message"; content: "citrix"; nocase; classtype: system-event; program: Citrix; reference: url,wiki.softwink.com/bin/view/Main/5000317; sid: 5000317; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Trusted Platform Module [TPM] Error. User name not found"; content: "The user name could not be found"; nocase; classtype: unsuccessful-user; program: DAC; reference: url,wiki.softwink.com/bin/view/Main/5000318; sid: 5000318; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service was corrupted"; content: "Eventlog was corrupted"; classtype: program-error; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000319; sid: 5000319; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service was stopped"; content: "Eventlog to Syslog Service Stopped"; classtype: system-event; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000320; sid: 5000320; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service returned error"; content: "Eventlog returned error"; classtype: program-error; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000322; sid: 5000322; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000323; sid: 5000323; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] IPSec message"; content: "IPSec"; nocase; classtype: not-suspicious; program: IPSec; reference: url,wiki.softwink.com/bin/view/Main/5000324; sid: 5000324; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] LSASRV - Could not establish a secure connection"; content: "could not establish a secured connection"; classtype: network-event; program: LSASRV; reference: url,wiki.softwink.com/bin/view/Main/5000381; sid: 5000381; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "[WINDOWS] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; reference: url,wiki.softwink.com/bin/view/Main/5000325; sid: 5000325; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "[WINDOWS] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000326; sid: 5000326; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000327; sid: 5000327; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000328; sid: 5000328; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000329; sid: 5000329; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000331; sid: 5000331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - RegWork - Registry clearner"; content: "Product"; content: "RegWork"; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000330; sid: 5000330; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000332; sid: 5000332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; reference: url,wiki.softwink.com/bin/view/Main/5000334; sid: 5000334; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] SNMP Service has started successfully"; content: "SNMP Service has started successfully"; classtype: system-event; program: SNMP; reference: url,wiki.softwink.com/bin/view/Main/5000335; sid: 5000335; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000336; sid: 5000336; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000337; sid: 5000337; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000338; sid: 5000338; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000339; sid: 5000339; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000340; sid: 5000340; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000382; sid: 5000382; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus startup successful"; content: "services startup was successful"; classtype: system-event; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000341; sid: 5000341; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000342; sid: 5000342; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000343; sid: 5000343; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus Successful remote connect by administrator"; content: "User"; content: "connected from"; content: "with Admin role"; classtype: successful-admin; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000344; sid: 5000344; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; reference: url,wiki.softwink.com/bin/view/Main/5000345; sid: 5000345; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] WinRM [Windows Remote Management] is started and listening"; content: "service is listening for WS-Management requests"; classtype: network-event; program: WinRM; reference: url,wiki.softwink.com/bin/view/Main/5000346; sid: 5000346; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; classtype: network-event; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000347; sid: 5000347; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection closed - Requested security type not available"; content: "closed"; content: "Requested security type not available"; classtype: suspicious-traffic; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000348; sid: 5000348; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection blacklisted"; content: "Connections"; content: "blacklisted"; classtype: suspicious-traffic; parse_ip_simple; parse_port_simple; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000349; sid: 5000349; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection Authenticaiton failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000350; sid: 5000350; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reset by peer"; content: "closed"; content: "Connection reset by peer"; parse_ip_simple; parse_port_simple; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000351; sid: 5000351; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "closed"; content: "Non-shared connection requested"; parse_ip_simple; parse_port_simple; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000352; sid: 5000352; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reading version failed"; content: "closed"; content: "reading version failed"; parse_ip_simple; parse_port_simple; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000353; sid: 5000353; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection closed"; content: "closed"; content: "Clean disconnection"; parse_ip_simple; parse_port_simple; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000354; sid: 5000354; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 HTTPServer event"; content: "HTTPServer"; classtype: network-event; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000355; sid: 5000355; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Crypt32 Failed to extract third-party root list"; content: "Failed extract of third-party root list"; classtype: program-error; program: crypt32; reference: url,wiki.softwink.com/bin/view/Main/5000356; sid: 5000356; rev:1;) rules/wordpress.rules0000644000000000000000000000643411460047376014031 0ustar rootroot# Sagan wordpress.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Wordpress authentication failed"; content: "User authentication failed"; classtype: unsuccessful-user; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000198; sid: 5000198; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Wordpress authentication succeeded"; content: "User logged in"; classtype: successful-user; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000199; sid: 5000199; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Wordpress WPsyslog was successfully initialized"; content: "WPsyslog was successfully init"; classtype: system-event; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000200; sid: 5000200; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Wordpress WPsyslog Plugin deactivated"; content: "Plugin deactivated"; classtype: system-event; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000201; sid: 5000201; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Wordpress Wordpress Comment Flood Attempt"; content: "Comment flood attempt"; classtype: attempted-dos; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000202; sid: 5000202; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[WORDPRESS] - Attack against Wordpress detected"; content: "Warning"; content: "IDS"; classtype: misc-attack; program: WPsyslog; reference: url,wiki.softwink.com/bin/view/Main/5000203; sid: 5000203; rev:1;) rules/xinetd.rules0000644000000000000000000001136311460047731013264 0ustar rootroot# Sagan xinetd.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Removing service"; content: "removing; classtype: system-event; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000256; sid: 5000256; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Starting service"; content: "Started working"; classtype: system-event; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000257; sid: 5000257; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Excessive number connections to a service"; content: "deactivating service"; nocase; classtype: attempted-dos; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000379; sid: 5000379; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[XINETD] Telnet connection from remote host"; content: "START"; content: "telnet"; classtype: not-suspicious; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000247; sid: 5000247; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "[XINETD] Telnet connection exit"; content: "EXIT"; content: "telnet"; classtype: not-suspicious; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000248; sid: 5000248; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg: "[XINETD] POP3 connection from remote host"; content: "START"; content: "pop-3"; classtype: not-suspicious; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000249; sid: 5000249; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg: "[XINETD] POP3 connection exit"; content: "EXIT"; content: "pop-3"; classtype: not-suspicious; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000250; sid: 5000250; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: "[XINETD] IMAP2 connection from remote host"; content: "START"; content: "imap2"; classtype: not-suspicious; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000251; sid: 5000251; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: "[XINETD] IMAP2 connection exit"; content: "EXIT"; content: "imap2"; classtype: not-suspicious; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000252; sid: 5000252; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] connection from remote host"; content: "START"; content: "pop3s"; classtype: not-suspicious; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000253; sid: 5000253; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] connection exit"; content: "EXIT"; content: "pop3s"; classtype: not-suspicious; program: xinetd; reference: url,wiki.softwink.com/bin/view/Main/5000254; sid: 5000254; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] User login "; content: "USERID"; content: "pop3s"; classtype: successful-user; program: xinetd; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000255; sid: 5000255; rev:1;) rules/zeus.rules0000644000000000000000000000616411460047376012767 0ustar rootroot# Sagan zeus.rules # Copyright (c) 2009-2010, Softwink, Inc. # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000279; sid: 5000279; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Configuration warning [ignored]"; content: "Unknown directive; classtype: system-event; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000280; sid: 5000280; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Informational message"; pcre: "/^[\S+ \S+] INFO|^[\S+ \S+] SSL/"; classtype: system-event; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000281; sid: 5000281; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Warning message"; pcre: "/^[\S+ \S+] WARN/"; classtype: system-event; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000282; sid: 5000282; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Serious message"; pcre: "/^[\S+ \S+] SERIOUS/"; classtype: system-event; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000283; sid: 5000283; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Fatal message"; pcre: "/^[\S+ \S+] FATAL/"; classtype: system-event; program: zeus; reference: url,wiki.softwink.com/bin/view/Main/5000284; sid: 5000284; rev:1;)